A vulnerability was found in cairo. A maliciously crafted file can cause out of bounds read in fill_xrgb32_lerp_opaque_spans function in cairo, thus crashing the software.
Created mingw-cairo tracking bugs for this issue:
Affects: epel-7 [bug 1318978]
Reproducer is available there.
Note last update in comment #2:
> However, the original author of that patch (firstname.lastname@example.org) has
> expressed doubts that this change fully fixes the problem and he is now using
> an additional patch to cell_list_add_subspan() in cairo-tor_scan-converter.c.
> Therefore, I think it is best to leave this bug open until the root cause is
> fully understood.
The window of affected versions is somewhere after 1.11.2 until the fix was included in 1.14.2. This leaves epel-7/mingw-cairo and rhel-7.1/cairo affected; all other versions are either prior to the vulnerable code's introduction or (rhel-7.2, fedora, epel/cairo) include the fix.
This CVE was previously addressed in Red Hat Enterprise Linux 7 in the rebase to 1.14.2: