From 111ab56d840a6c82367b4a3306494faccd7f934b Mon Sep 17 00:00:00 2001 From: Quentin Schulz Date: Wed, 14 Dec 2022 12:16:02 +0100 Subject: [PATCH] package/cairo: fix CVE-2020-35492 Add an upstream patch to fix CVE-2020-35492: A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability. Important note: this is not the exact upstream patch. Indeed, the upstream patch[1] contains a png file which appears as a binary diff inside the patch. The `patch` tool which is used by Buildroot to apply patches does not handle that kind of diff. Since it is just a test, it shouldn't impact the quality of the CVE fix and all changes related to the test are removed from the patch. [1] https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be Cc: Quentin Schulz Signed-off-by: Quentin Schulz Signed-off-by: Peter Korsgaard --- ...4-Fix-mask-usage-in-image-compositor.patch | 56 +++++++++++++++++++ package/cairo/cairo.mk | 2 + 2 files changed, 58 insertions(+) create mode 100644 package/cairo/0004-Fix-mask-usage-in-image-compositor.patch diff --git a/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch b/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch new file mode 100644 index 0000000000..54a95593c5 --- /dev/null +++ b/package/cairo/0004-Fix-mask-usage-in-image-compositor.patch @@ -0,0 +1,56 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[Retrieved from +https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be] +[Removed changes in test/ directory to remove binary diff so that the +patch can be applied by `patch` tool] +Signed-off-by: Quentin Schulz +--- + src/cairo-image-compositor.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index bbf4cf228..2352c478e 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +-- +2.38.1 + diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk index 8bb7ca121d..e8a704c7da 100644 --- a/package/cairo/cairo.mk +++ b/package/cairo/cairo.mk @@ -16,6 +16,8 @@ CAIRO_INSTALL_STAGING = YES CAIRO_IGNORE_CVES += CVE-2018-19876 # 0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch CAIRO_IGNORE_CVES += CVE-2019-6462 +# 0004-Fix-mask-usage-in-image-compositor.patch +CAIRO_IGNORE_CVES += CVE-2020-35492 CAIRO_CONF_ENV = LIBS="$(CAIRO_LIBS)"