* [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs
@ 2022-12-14 11:16 Quentin Schulz
2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Quentin Schulz @ 2022-12-14 11:16 UTC (permalink / raw)
To: buildroot, Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine
This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch
slightly modified compared to upstream (namely removing tests since it includes
a png file which `patch` does not know how to handle when applying the patch).
There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet
(not even an attempt),
c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352.
Yocto does have a patch for it though:
https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22
(don't mind the wrong CVE name, I'll send a patch fixing it soon).
But I'm not entirely convinced it's a proper fix? So i'll leave it up for
discussion.
Cheers,
Quentin
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
Quentin Schulz (2):
package/cairo: fix CVE-2019-6462
package/cairo: fix CVE-2020-35492
...gle_for_tolerance_normalized-fix-infinite.patch | 39 +++++++++++++++
.../0004-Fix-mask-usage-in-image-compositor.patch | 56 ++++++++++++++++++++++
package/cairo/cairo.mk | 4 ++
3 files changed, 99 insertions(+)
---
base-commit: d3d1d5a2dab19a954915c807e90ac74708b7e9ce
change-id: 20221213-cairo-cves-b0285617c92f
Best regards,
--
Quentin Schulz <quentin.schulz@theobroma-systems.com>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread* [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 2022-12-14 11:16 [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Quentin Schulz @ 2022-12-14 11:16 ` Quentin Schulz 2022-12-14 19:03 ` Peter Korsgaard 2022-12-21 17:57 ` Peter Korsgaard 2022-12-14 11:16 ` [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 Quentin Schulz 2022-12-14 19:01 ` [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Peter Korsgaard 2 siblings, 2 replies; 8+ messages in thread From: Quentin Schulz @ 2022-12-14 11:16 UTC (permalink / raw) To: buildroot, Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine From: Quentin Schulz <quentin.schulz@theobroma-systems.com> Add an upstream patch to fix CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized. Cc: Quentin Schulz <foss+buildroot@0leil.net> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> --- ...gle_for_tolerance_normalized-fix-infinite.patch | 39 ++++++++++++++++++++++ package/cairo/cairo.mk | 2 ++ 2 files changed, 41 insertions(+) diff --git a/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch b/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch new file mode 100644 index 0000000000..078e90fa42 --- /dev/null +++ b/package/cairo/0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch @@ -0,0 +1,39 @@ +From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <hlewin@gmx.de> +Date: Sun, 1 Aug 2021 11:16:03 +0000 +Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop + +[Retrieved from: +https://gitlab.freedesktop.org/cairo/cairo/-/commit/ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0] +Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> +--- + src/cairo-arc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..1c891d1a0 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + { M_PI / 11.0, 9.81410988043554039085e-09 }, + }; + int table_size = ARRAY_LENGTH (table); ++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ + + for (i = 0; i < table_size; i++) + if (table[i].error < tolerance) + return table[i].angle; + + ++i; ++ + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && i < max_segments); + + return angle; + } +-- +2.38.1 + diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk index f479aa252a..8bb7ca121d 100644 --- a/package/cairo/cairo.mk +++ b/package/cairo/cairo.mk @@ -14,6 +14,8 @@ CAIRO_INSTALL_STAGING = YES # 0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available-in-cairo_ft_apply_variation.patch CAIRO_IGNORE_CVES += CVE-2018-19876 +# 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch +CAIRO_IGNORE_CVES += CVE-2019-6462 CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)" -- 2.38.1 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz @ 2022-12-14 19:03 ` Peter Korsgaard 2022-12-21 17:57 ` Peter Korsgaard 1 sibling, 0 replies; 8+ messages in thread From: Peter Korsgaard @ 2022-12-14 19:03 UTC (permalink / raw) To: Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine, buildroot >>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > Add an upstream patch to fix CVE-2019-6462: > An issue was discovered in cairo 1.16.0. There is an infinite loop in > the function _arc_error_normalized in the file cairo-arc.c, related to > _arc_max_angle_for_tolerance_normalized. > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Committed, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz 2022-12-14 19:03 ` Peter Korsgaard @ 2022-12-21 17:57 ` Peter Korsgaard 1 sibling, 0 replies; 8+ messages in thread From: Peter Korsgaard @ 2022-12-21 17:57 UTC (permalink / raw) To: Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine, buildroot >>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > Add an upstream patch to fix CVE-2019-6462: > An issue was discovered in cairo 1.16.0. There is an infinite loop in > the function _arc_error_normalized in the file cairo-arc.c, related to > _arc_max_angle_for_tolerance_normalized. > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Committed to 2022.11.x and 2022.02.x, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 2022-12-14 11:16 [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Quentin Schulz 2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz @ 2022-12-14 11:16 ` Quentin Schulz 2022-12-14 19:03 ` Peter Korsgaard 2022-12-21 17:57 ` Peter Korsgaard 2022-12-14 19:01 ` [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Peter Korsgaard 2 siblings, 2 replies; 8+ messages in thread From: Quentin Schulz @ 2022-12-14 11:16 UTC (permalink / raw) To: buildroot, Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine From: Quentin Schulz <quentin.schulz@theobroma-systems.com> Add an upstream patch to fix CVE-2020-35492: A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability. Important note: this is not the exact upstream patch. Indeed, the upstream patch[1] contains a png file which appears as a binary diff inside the patch. The `patch` tool which is used by Buildroot to apply patches does not handle that kind of diff. Since it is just a test, it shouldn't impact the quality of the CVE fix and all changes related to the test are removed from the patch. [1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be Cc: Quentin Schulz <foss+buildroot@0leil.net> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> --- .../0004-Fix-mask-usage-in-image-compositor.patch | 56 ++++++++++++++++++++++ package/cairo/cairo.mk | 2 + 2 files changed, 58 insertions(+) diff --git a/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch b/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch new file mode 100644 index 0000000000..54a95593c5 --- /dev/null +++ b/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch @@ -0,0 +1,56 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[Retrieved from +https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be] +[Removed changes in test/ directory to remove binary diff so that the +patch can be applied by `patch` tool] +Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> +--- + src/cairo-image-compositor.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index bbf4cf228..2352c478e 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +-- +2.38.1 + diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk index 8bb7ca121d..e8a704c7da 100644 --- a/package/cairo/cairo.mk +++ b/package/cairo/cairo.mk @@ -16,6 +16,8 @@ CAIRO_INSTALL_STAGING = YES CAIRO_IGNORE_CVES += CVE-2018-19876 # 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch CAIRO_IGNORE_CVES += CVE-2019-6462 +# 0004-Fix-mask-usage-in-image-compositor.patch +CAIRO_IGNORE_CVES += CVE-2020-35492 CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)" -- 2.38.1 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 2022-12-14 11:16 ` [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 Quentin Schulz @ 2022-12-14 19:03 ` Peter Korsgaard 2022-12-21 17:57 ` Peter Korsgaard 1 sibling, 0 replies; 8+ messages in thread From: Peter Korsgaard @ 2022-12-14 19:03 UTC (permalink / raw) To: Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine, buildroot >>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > Add an upstream patch to fix CVE-2020-35492: > A flaw was found in cairo's image-compositor.c in all versions prior to > 1.17.4. This flaw allows an attacker who can provide a crafted input > file to cairo's image-compositor (for example, by convincing a user to > open a file in an application using cairo, or if an application uses > cairo on untrusted input) to cause a stack buffer overflow -> > out-of-bounds WRITE. The highest impact from this vulnerability is to > confidentiality, integrity, as well as system availability. > Important note: this is not the exact upstream patch. Indeed, the > upstream patch[1] contains a png file which appears as a binary diff > inside the patch. The `patch` tool which is used by Buildroot to apply > patches does not handle that kind of diff. Since it is just a test, it > shouldn't impact the quality of the CVE fix and all changes related to > the test are removed from the patch. > [1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Committed, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 2022-12-14 11:16 ` [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 Quentin Schulz 2022-12-14 19:03 ` Peter Korsgaard @ 2022-12-21 17:57 ` Peter Korsgaard 1 sibling, 0 replies; 8+ messages in thread From: Peter Korsgaard @ 2022-12-21 17:57 UTC (permalink / raw) To: Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine, buildroot >>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > Add an upstream patch to fix CVE-2020-35492: > A flaw was found in cairo's image-compositor.c in all versions prior to > 1.17.4. This flaw allows an attacker who can provide a crafted input > file to cairo's image-compositor (for example, by convincing a user to > open a file in an application using cairo, or if an application uses > cairo on untrusted input) to cause a stack buffer overflow -> > out-of-bounds WRITE. The highest impact from this vulnerability is to > confidentiality, integrity, as well as system availability. > Important note: this is not the exact upstream patch. Indeed, the > upstream patch[1] contains a png file which appears as a binary diff > inside the patch. The `patch` tool which is used by Buildroot to apply > patches does not handle that kind of diff. Since it is just a test, it > shouldn't impact the quality of the CVE fix and all changes related to > the test are removed from the patch. > [1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Committed to 2022.11.x and 2022.02.x, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs 2022-12-14 11:16 [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Quentin Schulz 2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz 2022-12-14 11:16 ` [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 Quentin Schulz @ 2022-12-14 19:01 ` Peter Korsgaard 2 siblings, 0 replies; 8+ messages in thread From: Peter Korsgaard @ 2022-12-14 19:01 UTC (permalink / raw) To: Quentin Schulz; +Cc: Quentin Schulz, Fabrice Fontaine, buildroot >>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > This fixes CVE-2019-6462 with an upstream patch and CVE-2020-35492 with a patch > slightly modified compared to upstream (namely removing tests since it includes > a png file which `patch` does not know how to handle when applying the patch). Thanks! > There's still one CVE in the wild: CVE-2019-6461 but there's no patch for it yet > (not even an attempt), > c.f. https://gitlab.freedesktop.org/cairo/cairo/-/issues/352. > Yocto does have a patch for it though: > https://cgit.openembedded.org/openembedded-core/tree/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch?id=a89bea9fed0005bc7d820a1fc6a9d6dd7c246c22 > (don't mind the wrong CVE name, I'll send a patch fixing it soon). > But I'm not entirely convinced it's a proper fix? So i'll leave it up for > discussion. That indeed looks kind of fishy to me, but I don't really know much about cairo. Anyone? -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-12-21 17:58 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-12-14 11:16 [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Quentin Schulz 2022-12-14 11:16 ` [Buildroot] [PATCH 1/2] package/cairo: fix CVE-2019-6462 Quentin Schulz 2022-12-14 19:03 ` Peter Korsgaard 2022-12-21 17:57 ` Peter Korsgaard 2022-12-14 11:16 ` [Buildroot] [PATCH 2/2] package/cairo: fix CVE-2020-35492 Quentin Schulz 2022-12-14 19:03 ` Peter Korsgaard 2022-12-21 17:57 ` Peter Korsgaard 2022-12-14 19:01 ` [Buildroot] [PATCH 0/2] package/cairo: fix multiple CVEs Peter Korsgaard
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.