group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #42709
[Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
Fixed in xenial 1.14.6-1ubuntu0.1~esm1:
https://ubuntu.com/security/notices/USN-5407-1
** Changed in: cairo (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639372
Title:
CVE-2016-9082: DOS attack in converting SVG to PNG
Status in cairo:
Unknown
Status in cairo package in Ubuntu:
Fix Released
Status in cairo source package in Precise:
Won't Fix
Status in cairo source package in Trusty:
Confirmed
Status in cairo source package in Xenial:
Fix Released
Status in cairo source package in Yakkety:
Confirmed
Status in cairo package in Debian:
Fix Released
Bug description:
I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is
already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone
else can work on the precise update.
Proof of Concept at
http://seclists.org/oss-sec/2016/q4/44
I didn't get gdb to work, but when I tried to convert the file, I got
a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash .
After the update, no crash happened.
I reproduced the crash and verified that the new package doesn't crash
on yakkety. In xenial I wasn't able to reproduce the crash. I did not
test on trusty.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions