CVE-2020-35492
Published: 18 March 2021
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Priority
Low
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
cairo Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Not vulnerable
(1.16.0-5ubuntu1)
|
|
| jammy |
Not vulnerable
(1.16.0-5ubuntu2)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1.17.6,1.16.0-5)
|
|
| xenial |
Released
(1.14.6-1ubuntu0.1~esm1)
|
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | The issue was introduced in version 1.12.12 with the commit: https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a731 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35492
- https://bugzilla.redhat.com/show_bug.cgi?id=1898396
- https://ubuntu.com/security/notices/USN-5407-1
- NVD
- Launchpad
- Debian