diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-graphics/cairo')
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo.inc | 1 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch | 45 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff | 22 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo_1.14.10.bb (renamed from import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo_1.14.8.bb) | 9 |
4 files changed, 74 insertions, 3 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo.inc b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo.inc index 8e1e2e1b8..20e0d2c92 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo.inc +++ b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo.inc @@ -30,6 +30,7 @@ PACKAGECONFIG[directfb] = "--enable-directfb=yes,,directfb" PACKAGECONFIG[valgrind] = "--enable-valgrind=yes,--disable-valgrind,valgrind" PACKAGECONFIG[egl] = "--enable-egl=yes,--disable-egl,virtual/egl" PACKAGECONFIG[glesv2] = "--enable-glesv2,--disable-glesv2,virtual/libgles2" +PACKAGECONFIG[opengl] = "--enable-gl,--disable-gl,virtual/libgl" #check for TARGET_FPU=soft and inform configure of the result so it can disable some floating points require cairo-fpu.inc diff --git a/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch new file mode 100644 index 000000000..7d02ab947 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch @@ -0,0 +1,45 @@ +From 042421e9e3d266ad0bb7805132041ef51ad3234d Mon Sep 17 00:00:00 2001 +From: Adrian Johnson <ajohnson@redneon.com> +Date: Wed, 16 Aug 2017 22:52:35 -0400 +Subject: [PATCH] cairo: Fix CVE-2017-9814 + +The bug happens because in some scenarios the variable size can +have a value of 0 at line 1288. And malloc(0) is not returning +NULL as some people could expect: + + https://stackoverflow.com/questions/1073157/zero-size-malloc + +malloc(0) returns the smallest chunk possible. So the line 1290 +with the return is not execute. And the execution continues with +an invalid map. + +Since the size is 0 the variable map is not initialized correctly +at load_trutype_table. So, later when the variable map is accessed +previous values from a freed chunk are used. This could allows an +attacker to control the variable map. + +This patch have not merge in upstream now. + +Upstream-Status: Backport [https://bugs.freedesktop.org/show_bug.cgi?id=101547] +CVE: CVE-2017-9814 +Signed-off-by: Dengke Du <dengke.du@windriver.com> +--- + src/cairo-truetype-subset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c +index e3449a0..f77d11c 100644 +--- a/src/cairo-truetype-subset.c ++++ b/src/cairo-truetype-subset.c +@@ -1285,7 +1285,7 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font, + return CAIRO_INT_STATUS_UNSUPPORTED; + + size = be16_to_cpu (map->length); +- map = malloc (size); ++ map = _cairo_malloc (size); + if (unlikely (map == NULL)) + return _cairo_error (CAIRO_STATUS_NO_MEMORY); + +-- +2.8.1 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff new file mode 100644 index 000000000..7aaad2eed --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo/cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff @@ -0,0 +1,22 @@ +Cairo: Fix Denial-of-Service Attack due to Logical Problem in Program + +https://bugs.freedesktop.org/show_bug.cgi?id=100763 + +CVE: CVE-2017-7475 +Upstream-Status: Submitted + +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> + +Index: cairo-1.15.4/src/cairo-ft-font.c +=================================================================== +--- cairo-1.15.4.orig/src/cairo-ft-font.c ++++ cairo-1.15.4/src/cairo-ft-font.c +@@ -1149,7 +1149,7 @@ _get_bitmap_surface (FT_Bitmap *bi + width = bitmap->width; + height = bitmap->rows; + +- if (width == 0 || height == 0) { ++ if (width == 0 || height == 0 || bitmap->buffer == NULL) { + *surface = (cairo_image_surface_t *) + cairo_image_surface_create_for_data (NULL, format, 0, 0, 0); + return (*surface)->base.status; diff --git a/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo_1.14.8.bb b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo_1.14.10.bb index 5a3c74f8e..fcdddc6d9 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo_1.14.8.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/cairo/cairo_1.14.10.bb @@ -2,10 +2,13 @@ require cairo.inc LIC_FILES_CHKSUM = "file://COPYING;md5=e73e999e0c72b5ac9012424fa157ad77" -SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz" +SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ + file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \ + file://0001-cairo-Fix-CVE-2017-9814.patch \ + " -SRC_URI[md5sum] = "4ef0db2eacb271c74f8a3fd87822aa98" -SRC_URI[sha256sum] = "d1f2d98ae9a4111564f6de4e013d639cf77155baf2556582295a0f00a9bc5e20" +SRC_URI[md5sum] = "146f5f4d0b4439fc3792fd3452b7b12a" +SRC_URI[sha256sum] = "7e87878658f2c9951a14fc64114d4958c0e65ac47530b8ac3078b2ce41b66a09" PACKAGES =+ "cairo-gobject cairo-script-interpreter cairo-perf-utils" |