From: Peter Korsgaard <peter@korsgaard.com>
To: Quentin Schulz <foss+buildroot@0leil.net>
Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>,
Fabrice Fontaine <fontaine.fabrice@gmail.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs
Date: Wed, 14 Dec 2022 20:01:44 +0100 [thread overview]
Message-ID: <87pmclu7vr.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20221213-cairo-cves-v1-0-b802b492d112@theobroma-systems.com> (Quentin Schulz's message of "Wed, 14 Dec 2022 12:16:00 +0100")
>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:
> This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch
> slightly modified compared to upstream (namely removing tests since it includes
> a png file which `patch` does not know how to handle when applying the patch).
Thanks!
> There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet
> (not even an attempt),
> c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352.
> Yocto does have a patch for it though:
> https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22
> (don't mind the wrong CVE name, I'll send a patch fixing it soon).
> But I'm not entirely convinced it's a proper fix? So i'll leave it up for
> discussion.
That indeed looks kind of fishy to me, but I don't really know much
about cairo. Anyone?
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2022-12-14 19:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-14 11:16 [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Quentin Schulz
2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz
2022-12-14 19:03 ` Peter Korsgaard
2022-12-21 17:57 ` Peter Korsgaard
2022-12-14 11:16 ` [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 Quentin Schulz
2022-12-14 19:03 ` Peter Korsgaard
2022-12-21 17:57 ` Peter Korsgaard
2022-12-14 19:01 ` Peter Korsgaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmclu7vr.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
--cc=foss+buildroot@0leil.net \
--cc=quentin.schulz@theobroma-systems.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.