Bug 1637792 (CVE-2018-18064) - CVE-2018-18064 cairo: Stack-based buffer overflow via parsing of crafted WebKitGTK+ document
Summary: CVE-2018-18064 cairo: Stack-based buffer overflow via parsing of crafted WebK...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2018-18064
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1637793 1637794 1637795 1637796 1637797 1648806
Blocks: 1637799
TreeView+ depends on / blocked
 
Reported: 2018-10-10 06:37 UTC by Sam Fowler
Modified: 2021-02-16 22:57 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-02 10:58:25 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2018-10-10 06:37:09 UTC 
cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).


Upstream Issue:

https://gitlab.freedesktop.org/cairo/cairo/issues/341
Comment 1 Sam Fowler 2018-10-10 06:37:53 UTC 
Created cairo tracking bugs for this issue:

Affects: fedora-all [bug 1637793]


Created mingw-cairo tracking bugs for this issue:

Affects: epel-7 [bug 1637795]
Affects: fedora-all [bug 1637794]
Comment 5 Huzaifa S. Sidhpurwala 2020-03-03 03:53:52 UTC 
Mitigation:

Attackers can use specially-crafted files to trigger this stack-buffer overflow in cairo. Applications compiled with cairo, which do not parse untrusted 2D image files are not vulnerable to this flaw. cairo package in Red Hat Enterprise Linux 7 and 8 is compiled with gcc's Stack Smashing Protection, which may reduce the impact of this flaw to crash only.
Note You need to log in before you can comment on or make changes to this bug.