Bug 1898396 (CVE-2020-35492) - CVE-2020-35492 cairo: libreoffice slideshow aborts with stack smashing in cairo's composite_boxes
Summary: CVE-2020-35492 cairo: libreoffice slideshow aborts with stack smashing in cai...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-35492
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1908113 1911335 1911336 1911486
Blocks: 1898175 1940003
TreeView+ depends on / blocked
 
Reported: 2020-11-16 23:22 UTC by Todd Cullum
Modified: 2024-03-25 17:06 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cairo's image-compositor.c. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2022-05-11 20:46:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1961 0 None None None 2022-05-10 14:31:00 UTC
freedesktop.org Gitlab cairo cairo issues 437 0 None None None 2021-01-11 16:04:11 UTC

Description Todd Cullum 2020-11-16 23:22:17 UTC 
libreoffice-7.0.2.2+ Impress aborts with a stack smashing error when provided a crafted .odp presentation file, on GNOME with the "scale" Display setting set to 175%. The issue is likely due to a problem in the cairo dependency. This could be related to [1] and is likely caused by [2]

1. https://gitlab.freedesktop.org/pixman/pixman/-/issues/9
2. https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a7310bb06582b7d8a566d5f007ba4e5e75bf
Comment 5 Todd Cullum 2020-12-15 19:54:07 UTC 
Upstream commit (includes test): https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/85/diffs?commit_id=03a820b173ed1fdef6ff14b4468f5dbc02ff59be
Comment 6 Todd Cullum 2020-12-15 19:56:36 UTC 
Acknowledgments:

Name: Stephan Bergmann (Red Hat)
Comment 10 Todd Cullum 2020-12-28 18:28:06 UTC 
Created cairo tracking bugs for this issue:

Affects: fedora-all [bug 1911335]


Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1911336]
Comment 12 Todd Cullum 2020-12-28 18:49:47 UTC 
Statement:

Libreoffice as shipped in Red Hat Enterprise Linux 6, 7, and 8 is not affected by this flaw as it was introduced in a newer version. Also note that while the flaw was originally discovered via Libreoffice, the root cause is in the cairo graphics library. This flaw has an adjusted CVSS score for cairo as shipped with Red Hat Enterprise Linux 8 because cairo is built with binary protections which limit the impact.
Comment 17 Todd Cullum 2021-01-13 01:06:33 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 18 Todd Cullum 2021-01-13 01:12:46 UTC 
Upstream issue: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
Comment 20 errata-xmlrpc 2022-05-10 14:30:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1961 https://access.redhat.com/errata/RHSA-2022:1961
Comment 21 Product Security DevOps Team 2022-05-11 20:46:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35492
Note You need to log in before you can comment on or make changes to this bug.