From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 25 May 2022 11:47:18 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ntnbq-008VJu-Nh for lore@lore.pengutronix.de; Wed, 25 May 2022 11:47:18 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1ntnbp-00025q-Th; Wed, 25 May 2022 11:47:17 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ntnZw-0007L5-Ka; Wed, 25 May 2022 11:45:20 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1ntnZw-004RBU-U7; Wed, 25 May 2022 11:45:19 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1ntnZu-00BwLm-GI; Wed, 25 May 2022 11:45:18 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Wed, 25 May 2022 11:45:18 +0200 Message-Id: <20220525094518.2845859-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220518082005.1474409-1-christian.melki@t2data.com> References: <20220518082005.1474409-1-christian.melki@t2data.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] cairo: Fix CVEs X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Christian Melki Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as 0f6b26a4fede60cbbd05adc5a96807951ec80632. Michael [sent from post-receive hook] On Wed, 25 May 2022 11:45:18 +0200, Christian Melki wrote: > * Plug CVEs: CVE-2017-7475, CVE-2018-19876, CVE-2019-6461, > CVE-2019-6462, CVE-2020-35492. > > Signed-off-by: Christian Melki > Message-Id: <20220518082005.1474409-1-christian.melki@t2data.com> > Signed-off-by: Michael Olbrich > > diff --git a/patches/cairo-1.16.0/0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch b/patches/cairo-1.16.0/0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > new file mode 100644 > index 000000000000..cc9add93cc7b > --- /dev/null > +++ b/patches/cairo-1.16.0/0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > @@ -0,0 +1,32 @@ > +From: Christian Melki > +Date: Tue, 17 May 2022 11:03:07 +0200 > +Subject: [PATCH] Cairo: Fix Denial-of-Service Attack due to Logical Problem in > + Program > + > +https://bugs.freedesktop.org/show_bug.cgi?id=100763 > + > +CVE: CVE-2017-7475 > +Upstream-Status: Submitted > + > +Signed-off-by: Fan Xin > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki > +--- > + src/cairo-ft-font.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c > +index 325dd61b47b1..7de310ac5531 100644 > +--- a/src/cairo-ft-font.c > ++++ b/src/cairo-ft-font.c > +@@ -1207,7 +1207,7 @@ _get_bitmap_surface (FT_Bitmap *bitmap, > + width = bitmap->width; > + height = bitmap->rows; > + > +- if (width == 0 || height == 0) { > ++ if (width == 0 || height == 0 || bitmap->buffer == NULL) { > + *surface = (cairo_image_surface_t *) > + cairo_image_surface_create_for_data (NULL, format, 0, 0, 0); > + return (*surface)->base.status; > diff --git a/patches/cairo-1.16.0/0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch b/patches/cairo-1.16.0/0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > new file mode 100644 > index 000000000000..7eb9f9a9b14b > --- /dev/null > +++ b/patches/cairo-1.16.0/0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > @@ -0,0 +1,36 @@ > +From: Christian Melki > +Date: Tue, 17 May 2022 11:06:54 +0200 > +Subject: [PATCH] CVE: CVE-2018-19876 Upstream-Status: Backport Signed-off-by: > + Ross Burton > + > +From 90e85c2493fdfa3551f202ff10282463f1e36645 Mon Sep 17 00:00:00 2001 > +From: Carlos Garcia Campos > +Date: Mon, 19 Nov 2018 12:33:07 +0100 > +Subject: [PATCH] ft: Use FT_Done_MM_Var instead of free when available in > + cairo_ft_apply_variations > + > +Fixes a crash when using freetype >= 2.9 > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki > +--- > + src/cairo-ft-font.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c > +index 7de310ac5531..51eff850a924 100644 > +--- a/src/cairo-ft-font.c > ++++ b/src/cairo-ft-font.c > +@@ -2393,7 +2393,11 @@ skip: > + done: > + free (coords); > + free (current_coords); > ++#if HAVE_FT_DONE_MM_VAR > ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); > ++#else > + free (ft_mm_var); > ++#endif > + } > + } > + > diff --git a/patches/cairo-1.16.0/0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch b/patches/cairo-1.16.0/0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > new file mode 100644 > index 000000000000..42fa25a1b51c > --- /dev/null > +++ b/patches/cairo-1.16.0/0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > @@ -0,0 +1,29 @@ > +From: Christian Melki > +Date: Tue, 17 May 2022 11:09:24 +0200 > +Subject: [PATCH] There is a potential infinite-loop in function > + _arc_error_normalized(). > + > +CVE: CVE-2019-6461 > +Upstream-Status: Pending > +Signed-off-by: Ross Burton > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki > +--- > + src/cairo-arc.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/cairo-arc.c b/src/cairo-arc.c > +index 390397bae104..f9249dbeb3c8 100644 > +--- a/src/cairo-arc.c > ++++ b/src/cairo-arc.c > +@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) > + do { > + angle = M_PI / i++; > + error = _arc_error_normalized (angle); > +- } while (error > tolerance); > ++ } while (error > tolerance && error > __DBL_EPSILON__); > + > + return angle; > + } > diff --git a/patches/cairo-1.16.0/0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch b/patches/cairo-1.16.0/0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > new file mode 100644 > index 000000000000..9a64b69c2d0a > --- /dev/null > +++ b/patches/cairo-1.16.0/0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > @@ -0,0 +1,29 @@ > +From: Christian Melki > +Date: Tue, 17 May 2022 11:10:14 +0200 > +Subject: [PATCH] There is an assertion in function _cairo_arc_in_direction(). > + > +CVE: CVE-2019-6462 > +Upstream-Status: Pending > +Signed-off-by: Ross Burton > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki > +--- > + src/cairo-arc.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/src/cairo-arc.c b/src/cairo-arc.c > +index f9249dbeb3c8..1bde774a418d 100644 > +--- a/src/cairo-arc.c > ++++ b/src/cairo-arc.c > +@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, > + if (cairo_status (cr)) > + return; > + > +- assert (angle_max >= angle_min); > ++ if (angle_max < angle_min) > ++ return; > + > + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { > + angle_max = fmod (angle_max - angle_min, 2 * M_PI); > diff --git a/patches/cairo-1.16.0/0008-Fix-stack-buffer-overflow.patch b/patches/cairo-1.16.0/0008-Fix-stack-buffer-overflow.patch > new file mode 100644 > index 000000000000..2ed134b8b9a0 > --- /dev/null > +++ b/patches/cairo-1.16.0/0008-Fix-stack-buffer-overflow.patch > @@ -0,0 +1,59 @@ > +From: Christian Melki > +Date: Tue, 17 May 2022 11:10:57 +0200 > +Subject: [PATCH] Fix stack buffer overflow. > + > +CVE: CVE-2020-35492 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton > + > +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 > +From: Heiko Lewin > +Date: Tue, 15 Dec 2020 16:48:19 +0100 > +Subject: [PATCH] Fix mask usage in image-compositor > + > +The patch was imported from the Yocto project. > + > +Signed-off-by: Christian Melki > +--- > + src/cairo-image-compositor.c | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c > +index bbf4cf2281da..2352c478e6f0 100644 > +--- a/src/cairo-image-compositor.c > ++++ b/src/cairo-image-compositor.c > +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, > + unsigned num_spans) > + { > + cairo_image_span_renderer_t *r = abstract_renderer; > +- uint8_t *m; > ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); > + int x0; > + > + if (num_spans == 0) > + return CAIRO_STATUS_SUCCESS; > + > + x0 = spans[0].x; > +- m = r->_buf; > ++ m = base; > + do { > + int len = spans[1].x - spans[0].x; > + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { > +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, > + spans[0].x, y, > + spans[1].x - spans[0].x, h); > + > +- m = r->_buf; > ++ m = base; > + x0 = spans[1].x; > + } else if (spans[0].coverage == 0x0) { > + if (spans[0].x != x0) { > +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, > + #endif > + } > + > +- m = r->_buf; > ++ m = base; > + x0 = spans[1].x; > + } else { > + *m++ = spans[0].coverage; > diff --git a/patches/cairo-1.16.0/series b/patches/cairo-1.16.0/series > index dc125547febc..0904871d96f6 100644 > --- a/patches/cairo-1.16.0/series > +++ b/patches/cairo-1.16.0/series > @@ -3,4 +3,9 @@ > 0001-only-build-GL-surface-tests-if-GLX-is-enabled.patch > 0002-Makefile.sources-move-font-variations.c-a-test-code-.patch > 0003-regrouping-of-test-sources-with-new-fc_font_test_sou.patch > -# dfb78163a7d65338b42965982e516176 - git-ptx-patches magic > +0004-Cairo-Fix-Denial-of-Service-Attack-due-to-Logical-Pr.patch > +0005-CVE-CVE-2018-19876-Upstream-Status-Backport-Signed-o.patch > +0006-There-is-a-potential-infinite-loop-in-function-_arc_.patch > +0007-There-is-an-assertion-in-function-_cairo_arc_in_dire.patch > +0008-Fix-stack-buffer-overflow.patch > +# 1e1d9f93062b124d13fb5d535d4df3e1 - git-ptx-patches magic > diff --git a/rules/host-cairo.make b/rules/host-cairo.make > index e49ab9a6f4c4..aa5c24cec8a0 100644 > --- a/rules/host-cairo.make > +++ b/rules/host-cairo.make > @@ -25,9 +25,6 @@ HOST_CAIRO_CONF_OPT := \ > $(HOST_AUTOCONF) \ > --enable-shared \ > --disable-static \ > - --disable-gtk-doc \ > - --disable-gtk-doc-html \ > - --disable-gtk-doc-pdf \ > --enable-atomic \ > --disable-gcov \ > --disable-valgrind \