Bug 30412 - cairo new security issue CVE-2017-9814
Summary: cairo new security issue CVE-2017-9814
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-11 20:08 CEST by David Walser
Modified: 2022-05-15 12:08 CEST (History)
5 users (show)

See Also:
Source RPM: cairo-1.16.0-6.1.mga8.src.rpm
CVE: CVE-2017-9814
Status comment:


Attachments

Description David Walser 2022-05-11 20:08:47 CEST
Ubuntu has issued an advisory on May 10:
https://ubuntu.com/security/notices/USN-5407-1

The issue is fixed upstream in 1.17.6.

Mageia 8 is also affected.
David Walser 2022-05-11 20:09:01 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.17.6

Comment 1 Lewis Smith 2022-05-11 21:33:28 CEST
This is maintained by different people, so assigning the update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-05-12 09:40:29 CEST
Hi,

In fact, that CVE was already fixed in version 1.16.0.  See: bug 26981, comment 3.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2022-05-13 05:01:57 CEST
No, that's not true.  See here:
https://ubuntu.com/security/CVE-2017-9814
https://gitlab.freedesktop.org/cairo/cairo/-/issues/264

The issue wasn't fully fixed until the middle of last year.  1.16.0 was much longer ago.
Comment 4 Nicolas Salguero 2022-05-13 09:42:24 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call. (CVE-2017-9814)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9814
https://ubuntu.com/security/notices/USN-5407-1
========================

Updated packages in core/updates_testing:
========================
lib(64)cairo2-1.16.0-6.2.mga8
lib(64)cairo-devel-1.16.0-6.2.mga8
lib(64)cairo-static-devel-1.16.0-6.2.mga8

from SRPM:
cairo-1.16.0-6.2.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.17.6 => (none)
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-9814
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 5 Len Lawrence 2022-05-13 19:16:51 CEST
mga8, x64

$ rpm -q lib64cairo2
lib64cairo2-1.16.0-6.1.mga8

PoC at https://bugs.freedesktop.org/show_bug.cgi?id=101547 but noting comments 2 and 3 no expectation of trouble.  And there is not.
$ hb-view 1.ttf "Sixteen tons and whadyaget?"
$
$ strace -o atril.trace atril PoC.pdf
<displays a page containing a meaningful string>
$ grep cairo atril.trace
openat(AT_FDCWD, "/lib64/libcairo.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libpangocairo-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libcairo-gobject.so.2", O_RDONLY|O_CLOEXEC) = 3

After updating:

$ atril AN_2022_January.pdf
Oops, secure memory pool already initialized
! SyncTeX Error : No file?
Oops, secure memory pool already initialized
<Browsed pages OK - images displayed fine>
The "Oops" messages seem to be standard here.
However, the command line reported a bug:
*** BUG ***
In pixman_region32_init_rect: Invalid rectangle passed
Set a breakpoint on '_pixman_log_error' to debug

$ atril BashPocketReference.pdf
<Oops messages>
Clean exit, which implies that the data may have been at fault in the first case.

The main library is used by at least 478 applications (excluding libraries).
No regressions apparent so this can go out.

CC: (none) => tarazed25

Len Lawrence 2022-05-13 19:20:21 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 6 David Walser 2022-05-13 19:39:58 CEST
(In reply to Len Lawrence from comment #5)
> $ hb-view 1.ttf "Sixteen tons and whadyaget?"

Another day older and deeper in debt :D
Comment 7 Thomas Andrews 2022-05-14 04:46:28 CEST
I owe my soul to the Company Sto'...

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm

Thomas Andrews 2022-05-14 04:46:55 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-15 00:45:32 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2022-05-15 12:08:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0186.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.