Security update for cairo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1937-1 Final 1 1 2020-07-15T21:56:33Z current 2020-07-15T21:56:33Z 2020-07-15T21:56:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cairo This update for cairo fixes the following issues: - Fix a memory corruption in pango. - Revert 'Correctly decode Adobe CMYK JPEGs in PDF export'. - Add more FreeeType font color conversions to support COLR/CPAL. - Fix crash when rendering Microsoft's Segoe UI Emoji Regular font. - Fix memory leaks found by Coverity. - Fix assertion failure in the freetype backend. (fdo#105746). - Add cairo-CVE-2017-9814.patch: Replace malloc with _cairo_malloc and check cmap size before allocating (bsc#1049092) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1937,SUSE-SLE-Module-Basesystem-15-SP1-2020-1937,SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1937 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201937-1/ Link for SUSE-SU-2020:1937-1 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007144.html E-Mail link for SUSE-SU-2020:1937-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1049092 SUSE Bug 1049092 https://www.suse.com/security/cve/CVE-2017-9814/ SUSE CVE CVE-2017-9814 page SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1 cairo-devel-1.16.0-4.8.1 cairo-devel-32bit-1.16.0-4.8.1 cairo-devel-64bit-1.16.0-4.8.1 cairo-tools-1.16.0-4.8.1 libcairo-gobject2-1.16.0-4.8.1 libcairo-gobject2-32bit-1.16.0-4.8.1 libcairo-gobject2-64bit-1.16.0-4.8.1 libcairo-script-interpreter2-1.16.0-4.8.1 libcairo-script-interpreter2-32bit-1.16.0-4.8.1 libcairo-script-interpreter2-64bit-1.16.0-4.8.1 libcairo2-1.16.0-4.8.1 libcairo2-32bit-1.16.0-4.8.1 libcairo2-64bit-1.16.0-4.8.1 cairo-devel-1.16.0-4.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 libcairo-gobject2-1.16.0-4.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 libcairo-script-interpreter2-1.16.0-4.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 libcairo2-1.16.0-4.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 libcairo2-32bit-1.16.0-4.8.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call. CVE-2017-9814 SUSE Linux Enterprise Module for Basesystem 15 SP1:cairo-devel-1.16.0-4.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:libcairo-gobject2-1.16.0-4.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:libcairo-script-interpreter2-1.16.0-4.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:libcairo2-1.16.0-4.8.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:libcairo2-32bit-1.16.0-4.8.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201937-1/ https://www.suse.com/security/cve/CVE-2017-9814.html CVE-2017-9814 https://bugzilla.suse.com/1049092 SUSE Bug 1049092