[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
very good post. http://www.hairvitamins6.com http://www.uaegoldpricetoday.com http://www.saudigoldpricetoday.com -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Won't Fix Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Fix Released Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
Fixed in xenial 1.14.6-1ubuntu0.1~esm1: https://ubuntu.com/security/notices/USN-5407-1 ** Changed in: cairo (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Won't Fix Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Fix Released Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: cairo (Ubuntu Precise) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Won't Fix Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
Launchpad has imported 13 comments from the remote bug at https://bugs.freedesktop.org/show_bug.cgi?id=98165. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2016-10-08T17:16:15+00:00 Jbowler wrote: This is in cairo-1.14.6 This has already been reported on oss-security, although there is no analysis there and as yet there is no CVE: http://www.openwall.com/lists/oss-security/2016/10/06/1 The repro uses: rsvg-convert -o crash.png crash.svg The crash happens because write_png passes invalid (off by 4GByte) pointers to libpng. The bug is in the declaration of _cairo_image_surface which obviously won't work on a machine with a 64-bit address space and 32-bit (int) values. The crash is 'just' a read from the invalid pointer inside libpng, however there is at least one other case of the loop in read_png where the crash would be a memory overwrite with data from the PNG; that version has been semi-fixed. I'm not posting a detailed analysis because I'm not sure how many places the bug is exposed and it is pretty clear given the fact that the loop in read_png is different that you already know about one instance of this bug. The libpng maintainer has a copy of my complete analysis and the original SVG, I suggest not posting it at the moment because it took me about 4 minutes to find the problem given the SVG. I also suspect it isn't specific to SVG; I assume the read_png change came from test jockeys hitting Cairo with various obvious PNG files, they tend to not test SVG anywhere near as much. The fix is to change 'stride' in the surface to (size_t), and preferably width/height to (uint32_t) and depth to (unsigned). Doing that will reveal all cases of the bug given a sufficiently high warning level. Reply at: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/comments/0 On 2016-10-11T07:30:52+00:00 Jbowler wrote: This bug is also reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1382656 The referenced bug: http://seclists.org/oss-sec/2016/q4/44 isn't up to date but is, unfortunately, publicly readable. Reply at: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/comments/1 On 2016-10-11T12:38:11+00:00 Adrian Johnson wrote: Created attachment 127211 fix integer overflow Reply at: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/comments/2 On 2016-10-11T16:43:50+00:00 Jbowler wrote: Well, yes, stride should be (size_t), but there may be other instances of this. If you change the type of stride in the struct to (unsigned int), from (int) and run with the correct compiler warning options it will warn about: (int) * (unsigned int) because the (int) gets converted silently to (unsigned int). GCC probably ignores this by default, but the -Wconversion stuff is meant to detect it. Coverity certainly can. Doing the above temporarily will tell you if any other code in libcairo does this. It doesn't catch all the potential problems; for example read_png already has 'i' as (unsigned int) and does (IRC): i * stride That still overflows on a 64-bit system, it just requires a bigger SVG and it is a 'safe' overflow because all the pointers are still inside the image buffer. This is why I suggested changing the struct member; it is difficult to detect potential 32-bit overflow. I don't think even Coverity warns about 32-bit arithmetic being used inside a 64-bit address calculation and it is extremely common and normally safe. The other approach you could use is to check when the cairo surface is created to make sure it doesn't require more than a 31, or 32-bit sized buffer. However there are some devices out there which can exceed a 4GByte image; think of a 72" poster printer running at 1200dpi. That has 86400 dots (bytes) per row so a 42" high printout would exceed the limit. Reply at: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/comments/3 On 2016-10-13T11:36:08+00:00 Adrian Johnson wrote: I don't like the idea of making stride unsigned. Maybe ptrdiff_t would be a better type for stride. Reply at: https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/comments/4 On 2016-10-13T14:54:46+00:00 Jbowler wrote: If cairo does support bottom-up surfaces, as are typically used in engineering analysis (where 'z' comes out of the page) then that is the correct solution. Indeed, the change made to write_png (the cast to
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Changed in: cairo Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: In Progress Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Confirmed Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Changed in: cairo Status: Unknown => Confirmed ** Changed in: cairo Importance: Unknown => Critical -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Confirmed Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Confirmed Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
Since there still is no final solution in the upstream bug, I am unsubscribing ubuntu-security-sponsors for now. Please re-subscribe the group if the upstream bug gets a proper fix. Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Confirmed Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
I just checked the upstream bug (https://bugs.freedesktop.org/show_bug.cgi?id=98165) again and there's still no final solution. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Confirmed Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
Thanks for the debdiffs! While they look good, there is some discussion in the upstream bug, and the fix hasn't been committed yet. I'll wait until the fix is committed before releasing updates for the stable releases. ** Also affects: cairo (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: cairo (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: cairo (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: cairo (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: cairo (Ubuntu Precise) Status: New => Confirmed ** Changed in: cairo (Ubuntu Trusty) Status: New => Confirmed ** Changed in: cairo (Ubuntu Xenial) Status: New => Confirmed ** Changed in: cairo (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: cairo (Ubuntu) Status: Confirmed => Fix Released ** Changed in: cairo (Ubuntu Precise) Importance: Undecided => Medium ** Changed in: cairo (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: cairo (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: cairo (Ubuntu Yakkety) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Confirmed Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Changed in: cairo (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Changed in: cairo (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Description changed: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash - on xenial and yakkety only. I did not test on trusty. + on yakkety. In xenial I wasn't able to reproduce the crash. I did not + test on trusty. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Confirmed Status in cairo package in Debian: Unknown Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Patch added: "cairo-CVE-2016-9082-trusty.debdiff" https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/+attachment/4772691/+files/cairo-CVE-2016-9082-trusty.debdiff ** Information type changed from Public to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-9082 ** Bug watch added: Debian Bug tracker #842289 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842289 ** Also affects: cairo (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842289 Importance: Unknown Status: Unknown ** Bug watch added: freedesktop.org Bugzilla #98165 https://bugs.freedesktop.org/show_bug.cgi?id=98165 ** Also affects: cairo via https://bugs.freedesktop.org/show_bug.cgi?id=98165 Importance: Unknown Status: Unknown ** Tags added: patch precise trusty xenial yakkety zesty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Confirmed Status in cairo package in Debian: Unknown Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Patch added: "cairo-CVE-2016-9082-yakkety.debdiff" https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/+attachment/4772690/+files/cairo-CVE-2016-9082-yakkety.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Confirmed Status in cairo package in Debian: Unknown Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
** Patch added: "cairo-CVE-2016-9082-xenial.debdiff" https://bugs.launchpad.net/ubuntu/+source/cairo/+bug/1639372/+attachment/4772689/+files/cairo-CVE-2016-9082-xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cairo in Ubuntu. https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Confirmed Status in cairo package in Debian: Unknown Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
