CLD-22 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2016-9082 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) cairo
Deficiency Type SECURITY
Date Created 2017-09-14 21:23:32
Date Last Modified 2017-09-14 22:56:35

Version Specific Information:

Cucumber 1.0 i686 fixed in cairo-1.14.8-i686-3
Cucumber 1.0 x86_64 fixed in cairo-1.14.8-x86_64-3 and cairo-lib_i686-1.14.8-lib_i686-3

Cucumber 1.1 i686 fixed in cairo-1.14.8-i686-3
Cucumber 1.1 x86_64 fixed in cairo-1.14.8-x86_64-3 and cairo-lib_i686-1.14.8-lib_i686-3

Details:

Integer overflow in the write_png function in cairo 1.14.6 allows remote
attackers to cause a denial of service (invalid pointer dereference) via a large
svg file (https://nvd.nist.gov/vuln/detail/CVE-2016-9082).

Due to the nature of invalid pointer dereferences, it is also possible that it
could result in arbitray code execution. This has been neither proven nor
disproven (http://www.securityfocus.com/bid/93931/discuss).

Upstream bug report:
https://bugs.freedesktop.org/show_bug.cgi?id=98165