[Buildroot] [PATCH 1/1] package/cairo: security bump to version 1.17.2

Peter Korsgaard peter at korsgaard.com
Sat Feb 29 16:41:47 UTC 2020


>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:

 > - Fix CVE-2018-19876: cairo 1.16.0, in cairo_ft_apply_variations() in
 >   cairo-ft-font.c, would free memory using a free function incompatible
 >   with WebKit's fastMalloc, leading to an application crash with a
 >   "free(): invalid pointer" error.
 > - Update indentation of hash file (two spaces)

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>

Moving from a 2018 release to a snapshot isn't really great here just
before the release :/

Looking at the security tracker, wouldn't it make more sense to apply
the 2 patches (+ autoreconf) instead for master?

https://security-tracker.debian.org/tracker/CVE-2018-19876


 > ---
 >  package/cairo/cairo.hash | 12 ++++++------
 >  package/cairo/cairo.mk   |  4 ++--
 >  2 files changed, 8 insertions(+), 8 deletions(-)

 > diff --git a/package/cairo/cairo.hash b/package/cairo/cairo.hash
 > index 949ed3ffee..c86ccc31ab 100644
 > --- a/package/cairo/cairo.hash
 > +++ b/package/cairo/cairo.hash
 > @@ -1,9 +1,9 @@
 > -# From https://www.cairographics.org/releases/cairo-1.16.0.tar.xz.sha1
 > -sha1 00e81842ae5e81bb0343108884eb5205be0eac14 cairo-1.16.0.tar.xz
 > +# From https://cairographics.org/snapshots/cairo-1.17.2.tar.xz.sha1
 > +sha1  c5d6f12701f23b2dc2988a5a5586848e70e858fe  cairo-1.17.2.tar.xz
 >  # Calculated based on the hash above
 > -sha256	5e7b29b3f113ef870d1e3ecf8adf21f923396401604bda16d44be45e66052331	cairo-1.16.0.tar.xz
 > +sha256  6b70d4655e2a47a22b101c666f4b29ba746eda4aa8a0f7255b32b2e9408801df  cairo-1.17.2.tar.xz
 
 >  # Hash for license files:
 > -sha256	67228a9f7c5f9b67c58f556f1be178f62da4d9e2e6285318d8c74d567255abdf	COPYING
 > -sha256	9e9e8608c4cdda51a78cc3a385f4ec9a2e4c96d5ecad74ac8bca5fca3e563b7d	COPYING-LGPL-2.1
 > -sha256	53692a2ed6c6a2c6ec9b32dd0b820dfae91e0a1fcdf625ca9ed0bdf8705fcc4f	COPYING-MPL-1.1
 > +sha256  67228a9f7c5f9b67c58f556f1be178f62da4d9e2e6285318d8c74d567255abdf  COPYING
 > +sha256  9e9e8608c4cdda51a78cc3a385f4ec9a2e4c96d5ecad74ac8bca5fca3e563b7d  COPYING-LGPL-2.1
 > +sha256  53692a2ed6c6a2c6ec9b32dd0b820dfae91e0a1fcdf625ca9ed0bdf8705fcc4f  COPYING-MPL-1.1
 > diff --git a/package/cairo/cairo.mk b/package/cairo/cairo.mk
 > index 902f505aaa..10f6a661f8 100644
 > --- a/package/cairo/cairo.mk
 > +++ b/package/cairo/cairo.mk
 > @@ -4,11 +4,11 @@
 >  #
 >  ################################################################################
 
 > -CAIRO_VERSION = 1.16.0
 > +CAIRO_VERSION = 1.17.2
 >  CAIRO_SOURCE = cairo-$(CAIRO_VERSION).tar.xz
 >  CAIRO_LICENSE = LGPL-2.1 or MPL-1.1 (library)
 >  CAIRO_LICENSE_FILES = COPYING COPYING-LGPL-2.1 COPYING-MPL-1.1
 > -CAIRO_SITE = http://cairographics.org/releases
 > +CAIRO_SITE = http://cairographics.org/snapshots
 >  CAIRO_INSTALL_STAGING = YES
 
 >  # relocation truncated to fit: R_68K_GOT16O
 > -- 
 > 2.25.0

 > _______________________________________________
 > buildroot mailing list
 > buildroot at busybox.net
 > http://lists.busybox.net/mailman/listinfo/buildroot

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list