diff options
author | 宋文武 <iyzsong@member.fsf.org> | 2021-04-22 19:21:51 +0800 |
---|---|---|
committer | 宋文武 <iyzsong@member.fsf.org> | 2021-04-23 18:27:26 +0800 |
commit | 2ab4f4c950ffa7ca40271a534cb3bed997672138 (patch) | |
tree | 60a900d36a2dd87b6e0f098f16cf0d535019c6cf /gnu/packages | |
parent | a738a663a99ea63078cbba63d9b267e123f475d5 (diff) | |
download | guix-2ab4f4c950ffa7ca40271a534cb3bed997672138.tar.gz guix-2ab4f4c950ffa7ca40271a534cb3bed997672138.zip |
gnu: cairo: Reintroduce security patches [security fixes].
Two patches were accidentally removed in commit
f94cdc86f644984ca83164d40b17e7eed6e22091.
* gnu/packages/patches/cairo-CVE-2018-19876.patch,
gnu/packages/patches/cairo-CVE-2020-35492.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gtk.scm (cairo)[patches]: Apply them.
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/gtk.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/cairo-CVE-2018-19876.patch | 37 | ||||
-rw-r--r-- | gnu/packages/patches/cairo-CVE-2020-35492.patch | 49 |
3 files changed, 90 insertions, 1 deletions
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 9f3aea4aca..f70e667115 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -142,7 +142,10 @@ tools have full access to view and control running applications.") (string-append "https://cairographics.org/releases/cairo-" version ".tar.xz")) (sha256 - (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")))) + (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")) + (patches (search-patches + "cairo-CVE-2018-19876.patch" + "cairo-CVE-2020-35492.patch")))) (build-system glib-or-gtk-build-system) (outputs '("out" "doc")) (arguments diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages/patches/cairo-CVE-2018-19876.patch new file mode 100644 index 0000000000..c0fba2ecaa --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2018-19876.patch @@ -0,0 +1,37 @@ +Copied from Debian. + +From: Carlos Garcia Campos <cgarcia@igalia.com> +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 + +[This is considered to be security-sensitive because WebKitGTK+ sets its +own memory allocator, which is not compatible with system free(), making +this a remotely triggerable denial of service or memory corruption.] + +Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645 +Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 +Bug-Debian: https://bugs.debian.org/916389 +Bug-CVE: CVE-2018-19876 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61..981973f 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages/patches/cairo-CVE-2020-35492.patch new file mode 100644 index 0000000000..e8b90fa5c5 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2020-35492.patch @@ -0,0 +1,49 @@ +Copied from Debian. + +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[trimmed test case, since not used in Debian build] + +--- + src/cairo-image-compositor.c | 8 ++-- + +--- cairo-1.16.0.orig/src/cairo-image-compositor.c ++++ cairo-1.16.0/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; |