group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Mon, 21 Nov 2016 16:31:30 -0000
Reply-to: Bug 1639372 <1639372@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for the debdiffs!

While they look good, there is some discussion in the upstream bug, and
the fix hasn't been committed yet. I'll wait until the fix is committed
before releasing updates for the stable releases.

** Also affects: cairo (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: cairo (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: cairo (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: cairo (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Changed in: cairo (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: cairo (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: cairo (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: cairo (Ubuntu Yakkety)
       Status: New => Confirmed

** Changed in: cairo (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: cairo (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: cairo (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: cairo (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: cairo (Ubuntu Yakkety)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639372

Title:
  CVE-2016-9082: DOS attack in converting SVG to PNG

Status in cairo:
  Unknown
Status in cairo package in Ubuntu:
  Fix Released
Status in cairo source package in Precise:
  Confirmed
Status in cairo source package in Trusty:
  Confirmed
Status in cairo source package in Xenial:
  Confirmed
Status in cairo source package in Yakkety:
  Confirmed
Status in cairo package in Debian:
  Fix Released

Bug description:
  I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is
  already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone
  else can work on the precise update.

  Proof of Concept at
  http://seclists.org/oss-sec/2016/q4/44

  I didn't get gdb to work, but when I tried to convert the file, I got
  a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash .
  After the update, no crash happened.

  I reproduced the crash and verified that the new package doesn't crash
  on yakkety. In xenial I wasn't able to reproduce the crash. I did not
  test on trusty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions