CVE-2020-35492

Name
CVE-2020-35492
Description
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1898396
Patch https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cairographics:cairo:*:*:*:*:*:*:*:* cairo >= None < 1.17.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
cairo 3.13-main 1.16.0-r2 Natanael Copa <ncopa@alpinelinux.org> fixed
cairo 3.12-main 1.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
cairo 3.11-main 1.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
cairo 3.10-main 1.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
cairo edge-main 1.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
cairo 3.14-main 1.16.0-r3 Natanael Copa <ncopa@alpinelinux.org> fixed