[Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs

[Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs

[Quentin Schulz]

This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch
slightly modified compared to upstream (namely removing tests since it includes
a png file which `patch` does not know how to handle when applying the patch).

There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet
(not even an attempt),
c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352.

Yocto does have a patch for it though:
https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22
(don't mind the wrong CVE name, I'll send a patch fixing it soon).

But I'm not entirely convinced it's a proper fix? So i'll leave it up for
discussion.

Cheers,
Quentin

Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

---
Quentin Schulz (2):
      package/cairo: fix CVE-2019-6462
      package/cairo: fix CVE-2020-35492

 ...gle_for_tolerance_normalized-fix-infinite.patch | 39 +++++++++++++++
 .../0004-Fix-mask-usage-in-image-compositor.patch  | 56 ++++++++++++++++++++++
 package/cairo/cairo.mk                             |  4 ++
 3 files changed, 99 insertions(+)
---
base-commit: d3d1d5a2dab19a954915c807e90ac74708b7e9ce
change-id: 20221213-cairo-cves-b0285617c92f

Best regards,
-- 
Quentin Schulz <quentin.schulz@theobroma-systems.com>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Add an upstream patch to fix CVE-2019-6462:

An issue was discovered in cairo 1.16.0. There is an infinite loop in
the function _arc_error_normalized in the file cairo-arc.c, related to
_arc_max_angle_for_tolerance_normalized.

Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 ...gle_for_tolerance_normalized-fix-infinite.patch | 39 ++++++++++++++++++++++
 package/cairo/cairo.mk                             |  2 ++
 2 files changed, 41 insertions(+)

diff --git a/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch b/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch
new file mode 100644
index 0000000000..078e90fa42
--- /dev/null
+++ b/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch
@@ -0,0 +1,39 @@
+From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@gmx.de>
+Date: Sun, 1 Aug 2021 11:16:03 +0000
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+[Retrieved from:
+https://gitlab.freedesktop.org/cairo/cairo/-/commit/ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0]
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1c891d1a0 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ 	{ M_PI / 11.0,  9.81410988043554039085e-09 },
+     };
+     int table_size = ARRAY_LENGTH (table);
++    const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
+ 
+     for (i = 0; i < table_size; i++)
+ 	if (table[i].error < tolerance)
+ 	    return table[i].angle;
+ 
+     ++i;
++
+     do {
+ 	angle = M_PI / i++;
+ 	error = _arc_error_normalized (angle);
+-    } while (error > tolerance);
++    } while (error > tolerance && i < max_segments);
+ 
+     return angle;
+ }
+-- 
+2.38.1
+
diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk
index f479aa252a..8bb7ca121d 100644
--- a/package/cairo/cairo.mk
+++ b/package/cairo/cairo.mk
@@ -14,6 +14,8 @@ CAIRO_INSTALL_STAGING = YES
 
 # 0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available-in-cairo_ft_apply_variation.patch
 CAIRO_IGNORE_CVES += CVE-2018-19876
+# 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch
+CAIRO_IGNORE_CVES += CVE-2019-6462
 
 CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)"
 

-- 
2.38.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Add an upstream patch to fix CVE-2020-35492:
A flaw was found in cairo's image-compositor.c in all versions prior to
1.17.4. This flaw allows an attacker who can provide a crafted input
file to cairo's image-compositor (for example, by convincing a user to
open a file in an application using cairo, or if an application uses
cairo on untrusted input) to cause a stack buffer overflow ->
out-of-bounds WRITE. The highest impact from this vulnerability is to
confidentiality, integrity, as well as system availability.

Important note: this is not the exact upstream patch. Indeed, the
upstream patch[1] contains a png file which appears as a binary diff
inside the patch. The `patch` tool which is used by Buildroot to apply
patches does not handle that kind of diff. Since it is just a test, it
shouldn't impact the quality of the CVE fix and all changes related to
the test are removed from the patch.

[1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 .../0004-Fix-mask-usage-in-image-compositor.patch  | 56 ++++++++++++++++++++++
 package/cairo/cairo.mk                             |  2 +
 2 files changed, 58 insertions(+)

diff --git a/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch b/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch
new file mode 100644
index 0000000000..54a95593c5
--- /dev/null
+++ b/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch
@@ -0,0 +1,56 @@
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+
+[Retrieved from
+https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be]
+[Removed changes in test/ directory to remove binary diff so that the
+patch can be applied by `patch` tool]
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+---
+ src/cairo-image-compositor.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index bbf4cf228..2352c478e 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 		    unsigned num_spans)
+ {
+     cairo_image_span_renderer_t *r = abstract_renderer;
+-    uint8_t *m;
++    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+     int x0;
+ 
+     if (num_spans == 0)
+ 	return CAIRO_STATUS_SUCCESS;
+ 
+     x0 = spans[0].x;
+-    m = r->_buf;
++    m = base;
+     do {
+ 	int len = spans[1].x - spans[0].x;
+ 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 				      spans[0].x, y,
+ 				      spans[1].x - spans[0].x, h);
+ 
+-	    m = r->_buf;
++	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else if (spans[0].coverage == 0x0) {
+ 	    if (spans[0].x != x0) {
+@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+ 	    }
+ 
+-	    m = r->_buf;
++	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else {
+ 	    *m++ = spans[0].coverage;
+-- 
+2.38.1
+
diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk
index 8bb7ca121d..e8a704c7da 100644
--- a/package/cairo/cairo.mk
+++ b/package/cairo/cairo.mk
@@ -16,6 +16,8 @@ CAIRO_INSTALL_STAGING = YES
 CAIRO_IGNORE_CVES += CVE-2018-19876
 # 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch
 CAIRO_IGNORE_CVES += CVE-2019-6462
+# 0004-Fix-mask-usage-in-image-compositor.patch
+CAIRO_IGNORE_CVES += CVE-2020-35492
 
 CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)"
 

-- 
2.38.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch
 > slightly modified compared to upstream (namely removing tests since it includes
 > a png file which `patch` does not know how to handle when applying the patch).

Thanks!

 > There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet
 > (not even an attempt),
 > c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352.

 > Yocto does have a patch for it though:
 > https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22
 > (don't mind the wrong CVE name, I'll send a patch fixing it soon).

 > But I'm not entirely convinced it's a proper fix? So i'll leave it up for
 > discussion.

That indeed looks kind of fishy to me, but I don't really know much
about cairo. Anyone?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > Add an upstream patch to fix CVE-2020-35492:
 > A flaw was found in cairo's image-compositor.c in all versions prior to
 > 1.17.4. This flaw allows an attacker who can provide a crafted input
 > file to cairo's image-compositor (for example, by convincing a user to
 > open a file in an application using cairo, or if an application uses
 > cairo on untrusted input) to cause a stack buffer overflow ->
 > out-of-bounds WRITE. The highest impact from this vulnerability is to
 > confidentiality, integrity, as well as system availability.

 > Important note: this is not the exact upstream patch. Indeed, the
 > upstream patch[1] contains a png file which appears as a binary diff
 > inside the patch. The `patch` tool which is used by Buildroot to apply
 > patches does not handle that kind of diff. Since it is just a test, it
 > shouldn't impact the quality of the CVE fix and all changes related to
 > the test are removed from the patch.

 > [1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be
 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > Add an upstream patch to fix CVE-2019-6462:

 > An issue was discovered in cairo 1.16.0. There is an infinite loop in
 > the function _arc_error_normalized in the file cairo-arc.c, related to
 > _arc_max_angle_for_tolerance_normalized.

 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > Add an upstream patch to fix CVE-2020-35492:
 > A flaw was found in cairo's image-compositor.c in all versions prior to
 > 1.17.4. This flaw allows an attacker who can provide a crafted input
 > file to cairo's image-compositor (for example, by convincing a user to
 > open a file in an application using cairo, or if an application uses
 > cairo on untrusted input) to cause a stack buffer overflow ->
 > out-of-bounds WRITE. The highest impact from this vulnerability is to
 > confidentiality, integrity, as well as system availability.

 > Important note: this is not the exact upstream patch. Indeed, the
 > upstream patch[1] contains a png file which appears as a binary diff
 > inside the patch. The `patch` tool which is used by Buildroot to apply
 > patches does not handle that kind of diff. Since it is just a test, it
 > shouldn't impact the quality of the CVE fix and all changes related to
 > the test are removed from the patch.

 > [1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be
 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed to 2022.11.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > Add an upstream patch to fix CVE-2019-6462:

 > An issue was discovered in cairo 1.16.0. There is an infinite loop in
 > the function _arc_error_normalized in the file cairo-arc.c, related to
 > _arc_max_angle_for_tolerance_normalized.

 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed to 2022.11.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot