kumquat-buildroot/package/cairo
Quentin Schulz 111ab56d84 package/cairo: fix CVE-2020-35492
Add an upstream patch to fix CVE-2020-35492:
A flaw was found in cairo's image-compositor.c in all versions prior to
1.17.4. This flaw allows an attacker who can provide a crafted input
file to cairo's image-compositor (for example, by convincing a user to
open a file in an application using cairo, or if an application uses
cairo on untrusted input) to cause a stack buffer overflow ->
out-of-bounds WRITE. The highest impact from this vulnerability is to
confidentiality, integrity, as well as system availability.

Important note: this is not the exact upstream patch. Indeed, the
upstream patch[1] contains a png file which appears as a binary diff
inside the patch. The `patch` tool which is used by Buildroot to apply
patches does not handle that kind of diff. Since it is just a test, it
shouldn't impact the quality of the CVE fix and all changes related to
the test are removed from the patch.

[1] 03a820b173
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-12-14 20:02:45 +01:00
..
0001-fix-nofork-build.patch
0002-ft-Use-FT_Done_MM_Var-instead-of-free-when-available-in-cairo_ft_apply_variation.patch
0003-_arc_max_angle_for_tolerance_normalized-fix-infinite.patch package/cairo: fix CVE-2019-6462 2022-12-14 20:02:14 +01:00
0004-Fix-mask-usage-in-image-compositor.patch package/cairo: fix CVE-2020-35492 2022-12-14 20:02:45 +01:00
cairo.hash
cairo.mk package/cairo: fix CVE-2020-35492 2022-12-14 20:02:45 +01:00
Config.in