From patchwork Fri May 31 21:10:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 165551 Delivered-To: patch@linaro.org Received: by 2002:a92:9e1a:0:0:0:0:0 with SMTP id q26csp1284363ili; Fri, 31 May 2019 14:11:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqwVEbdvCtSgEePO08qdmjE1Hz+SoC10lh1DYfzEKtVbkqI4vmryGu0g6vV53lwez9cuIWfA X-Received: by 2002:a17:90a:800b:: with SMTP id b11mr11081079pjn.4.1559337062131; Fri, 31 May 2019 14:11:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559337062; cv=none; d=google.com; s=arc-20160816; b=AXGt/1V2X2WpkHLaKDtEHeVFMkFsHhzteFp4+RrB73jDVU0e4aT/75HiICOYKjDxVf V82zv3nD5RJqmgSOHUVPcmmPLGQMMUYzH2LE/iZT4NY5CDlMRboEPNZB/YDf1Qqhn4EC Q+tbGBZxpR5nsUmu+EkhayZs99qciiL6rSKzwcRaPrEwx4k2dI02Oxbf2QWI8fe5/+uA Ge0XzxmHRlaRvec+b2XLmZDbvWMKaouTjvy4DF1Dwo3i7ZiPfely+moTHXBdlcPm/f6B hAcAVU1sL2lhUDgA0yVT9iK1kC9HOKSH9uSdjzpH+XQ/5F0mp6JxgHQopaR76LqpxdCJ YhTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:cc:message-id:date:to:from :dkim-signature:delivered-to; bh=6BwVUX9j3vleqeDlyV47fL0nYnQnCE78BcmO0tdXOXE=; b=hfM2gMDqsjDb5/lfCWJhbf/ZzxOyaki6DfJ9OrPeCx9OigBrphwiW6tTUNbtNNer3j 6/gfWYCglwbpA7/WZU8d7uJXYcg+qpJI4fd+puxsf/vT4/oU7DpZyrD18BooQl86Q/aD WLi3jqH01XlXPkKlvtknNJq57wYJk25wITlV2dxbqoWFkeM3qJKi58XMHfk29MkCAOps v1d/96mRjB+ClEoTLYnXMyx59DrhHm8ELzNw1itW+i+q0A2/FwqwxvByhp9kOa+5gr+4 LRyyDKkZtzldrKdYqcqjBK8wjt1Ni4CKBv2Vf0IpxxP1G/WAPKsS3tFb7y2LWMslTcJb Y54w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=nWaL8Z07; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i5si7596885pgs.4.2019.05.31.14.11.01; Fri, 31 May 2019 14:11:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=nWaL8Z07; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id EE0E97E607; Fri, 31 May 2019 21:10:57 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) by mail.openembedded.org (Postfix) with ESMTP id 4BB2A7D007 for ; Fri, 31 May 2019 21:10:56 +0000 (UTC) Received: by mail-pf1-f195.google.com with SMTP id x3so1393190pff.11 for ; Fri, 31 May 2019 14:10:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=m2JO36mGU8p2TRoV4nQiX/Oy1+4Hm9YD5hCuTAH++3I=; b=nWaL8Z07oU3U9giSxSG/EkP24pY8lH49sMEpPKzXVvfT4HOvvM2nh6mhW5RyOeeW1/ iwh7LB2aQTOlwy0VDood8n0v93F3FT7GZZB4X/TZWR7NDA+akGsf7yo7YF7nWg/pggof Ru1Lkmar5LxA38S29A2yyAPe/7l/Hh4aZZLT0GERVc+7CMx3kiwaZHFNQs96BYnxqXZn 8fTyKENw6hUh3TQwZyp/M7vG+pyaWDXMm1bChzfo/BwFfFqALyld2SYNVc0z51tlI/2q EWiLqaFyueV9EroHVCcj0tEnOnGuUmibD0BUTD9W3DqjmkzLYAT58Fl3A32AgfIZxN9z 9Sig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=m2JO36mGU8p2TRoV4nQiX/Oy1+4Hm9YD5hCuTAH++3I=; b=ntAEr/bG/xvrdmAc9vXJbvqiwZj4yUeN9irQ6mrXko5r8JErEYFXrkSbueX882v6eo luBJRtPJWGXPQq/Jqz80EpNerpTkxYG/SXVktIRR5pY7afRerm5A0zEuE6xWNhAnk603 2A20yyRpDupySjT4QFOdshq0SVoH7MudS82oBf0w6kon/VKBU+2l60ex9Sff8B4VOX5S TejgBvdiK4DPhtv6uzHM/2Y81E/f7z+qA8PBmyyv7U0itcyv22sUVhxwDaA48qrQZnhx cm8VUBiyDaYGTs4+uyYLjScddEcjVxdWvuMvQblrwwjYCZ9wT+96DbHAALVpTC7pDtPC /uqg== X-Gm-Message-State: APjAAAX/EmFJBQvp88eXEABDnbtUatKHFo4bzOaISubCKPvOc+mFaNJF O2qQaDAMlbvcCJKr4uAHSuzp/dOi X-Received: by 2002:aa7:8145:: with SMTP id d5mr12939885pfn.11.1559337057254; Fri, 31 May 2019 14:10:57 -0700 (PDT) Received: from akuster-ThinkPad-T460s.mvista.com ([2601:202:4180:c33:d8eb:da43:9914:3fc9]) by smtp.gmail.com with ESMTPSA id c9sm6130010pje.3.2019.05.31.14.10.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 31 May 2019 14:10:56 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Fri, 31 May 2019 14:10:54 -0700 Message-Id: <1559337054-16560-1-git-send-email-akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 Cc: Armin Kuster Subject: [OE-core] [thud][PATCH] cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Source: OpenEmbedded.org MR: 97538, 97543 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841 ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677 Description: CVE-2018-19876 is a backport from upstream. CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie [Dropped CVE-2018-19876, not affected] Issue was introduced in 1.15.8 by: commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe Signed-off-by: Armin Kuster --- .../recipes-graphics/cairo/cairo/CVE-2019-6461.patch | 19 +++++++++++++++++++ .../recipes-graphics/cairo/cairo/CVE-2019-6462.patch | 20 ++++++++++++++++++++ meta/recipes-graphics/cairo/cairo_1.14.12.bb | 2 ++ 3 files changed, 41 insertions(+) create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch new file mode 100644 index 0000000..5232cf7 --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch @@ -0,0 +1,19 @@ +There is a potential infinite-loop in function _arc_error_normalized(). + +CVE: CVE-2019-6461 +Upstream-Status: Pending +Signed-off-by: Ross Burton + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..f9249dbeb 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && error > __DBL_EPSILON__); + + return angle; + } diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch new file mode 100644 index 0000000..4e4598c --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch @@ -0,0 +1,20 @@ +There is an assertion in function _cairo_arc_in_direction(). + +CVE: CVE-2019-6462 +Upstream-Status: Pending +Signed-off-by: Ross Burton + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..1bde774a4 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; + +- assert (angle_max >= angle_min); ++ if (angle_max < angle_min) ++ return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); diff --git a/meta/recipes-graphics/cairo/cairo_1.14.12.bb b/meta/recipes-graphics/cairo/cairo_1.14.12.bb index 18b9479..08026c4 100644 --- a/meta/recipes-graphics/cairo/cairo_1.14.12.bb +++ b/meta/recipes-graphics/cairo/cairo_1.14.12.bb @@ -25,6 +25,8 @@ DEPENDS = "fontconfig glib-2.0 libpng pixman zlib" SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \ file://0001-cairo-Fix-CVE-2017-9814.patch \ + file://CVE-2019-6461.patch \ + file://CVE-2019-6462.patch \ " SRC_URI[md5sum] = "9f0db9dbfca0966be8acd682e636d165"