group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <1639372@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Oct 2021 15:28:01 -0000
Reply-to: Bug 1639372 <1639372@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release

** Changed in: cairo (Ubuntu Precise)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639372

Title:
  CVE-2016-9082: DOS attack in converting SVG to PNG

Status in cairo:
  Unknown
Status in cairo package in Ubuntu:
  Fix Released
Status in cairo source package in Precise:
  Won't Fix
Status in cairo source package in Trusty:
  Confirmed
Status in cairo source package in Xenial:
  Confirmed
Status in cairo source package in Yakkety:
  Confirmed
Status in cairo package in Debian:
  Fix Released

Bug description:
  I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is
  already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone
  else can work on the precise update.

  Proof of Concept at
  http://seclists.org/oss-sec/2016/q4/44

  I didn't get gdb to work, but when I tried to convert the file, I got
  a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash .
  After the update, no crash happened.

  I reproduced the crash and verified that the new package doesn't crash
  on yakkety. In xenial I wasn't able to reproduce the crash. I did not
  test on trusty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions