CVE-2020-35492
Published: 18 March 2021
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Priority
CVSS 3 base score: 7.8
Status
Package | Release | Status |
---|---|---|
cairo Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
groovy |
Ignored
(reached end-of-life)
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Not vulnerable
(1.16.0-5ubuntu1)
|
|
jammy |
Not vulnerable
(1.16.0-5ubuntu2)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.17.6,1.16.0-5)
|
|
xenial |
Released
(1.14.6-1ubuntu0.1~esm1)
|
Notes
Author | Note |
---|---|
rodrigo-zaiden | The issue was introduced in version 1.12.12 with the commit: https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a731 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35492
- https://bugzilla.redhat.com/show_bug.cgi?id=1898396
- https://ubuntu.com/security/notices/USN-5407-1
- NVD
- Launchpad
- Debian