Debian Package Tracker

general

source: cairo (main)
version: 1.16.0-4
maintainer: Debian GNOME Maintainers (archive) (DMD)
uploaders: Jeremy Bicha [DMD] – Emilio Pozuelo Monfort [DMD] – Laurent Bigonville [DMD]
arch: all any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.14.0-2.1+deb8u2
oldstable: 1.14.8-1
stable: 1.16.0-4
testing: 1.16.0-4
unstable: 1.16.0-4

versioned links

1.14.0-2.1+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.14.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.16.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cairo-perf-utils (1 bugs: 0, 1, 0, 0)
libcairo-gobject2
libcairo-script-interpreter2
libcairo2 (48 bugs: 0, 48, 0, 0)
libcairo2-dev
libcairo2-doc
libcairo2-udeb

action needed

lintian reports 3 errors and 11 warnings high

Lintian reports 3 errors and 11 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2020-07-29 12:30

5 security issues in bullseye high

There are 5 open security issues in bullseye.

5 important issues:

CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
CVE-2018-18064: cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVE-2019-6461: An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVE-2017-7475: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVE-2017-9814: cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.

Please fix them.

Created: 2019-07-07 Last update: 2020-07-08 22:18

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
CVE-2018-18064: cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVE-2019-6461: An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVE-2017-7475: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVE-2017-9814: cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.

Please fix them.

Created: 2017-04-29 Last update: 2020-07-08 22:18

5 bugs tagged patch in the BTS normal

The BTS contains patches fixing 5 bugs, consider including or untagging them.

Created: 2020-06-28 Last update: 2020-08-04 08:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.16.0-5, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 322aaf0257339fb781633046f9a21cd5b85f08cd
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 13:22:37 2020 +0100

    Wrap a long line in the 1.12.4-1 changelog entry (thanks, lintian-brush)

commit 8795fc39022ca3154cad1160223f16bafa398ddb
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 13:22:02 2020 +0100

    Update changelog

commit 17ffae58f5c0edbf52e3d50dff3bc5442862ac3c
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 13:19:53 2020 +0100

    Standards-Version: 4.5.0 (no changes required)

commit 2d7c4f23046d32211397e23c4f5b7b5ed2adef52
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 13:19:00 2020 +0100

    Enable dh_dwz

commit a8ad2f0286b52481642733af81b57b6ba8b3c008
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 13:01:41 2020 +0100

    Set Rules-Requires-Root to no

commit cf6c478ed786ba3d79575979491c2cc1c529a7df
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 12:57:35 2020 +0100

    Move to debhelper-compat 12
    
    - Drop -V from dh_makeshlibs (it is now the default)
    - Disable dh_dwz for now, to make diffoscope more useful

commit ff2c6fc4a08a46a20d148034e0c04e069f7395d5
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 12:55:10 2020 +0100

    d/rules: Don't maintain shlibs version manually
    
    The symbols files make this unnecessary under most circumstances, and -V
    (which is the default in debhelper compat level 12) generates a
    dependency on at least the corresponding upstream version as a fallback.

commit 072ae32ce0e563038e242fc4378dbbc50c1d6264
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 12:52:25 2020 +0100

    Remove migration path from libcairo2-dbg older than Debian 9 'stretch'

commit a9f1bd9c2bc1f6027c52e983710fcc3d194aca80
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 12:49:55 2020 +0100

    Add Build-Depends-Package to all symbols files

commit f0fd7800e8f282c7b8e91d524740d6c2ad78802d
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Apr 20 12:45:05 2020 +0100

    d/shlibs.local: Generate lockstep dependencies between binary packages
    
    Upstream developers are not going to support mixing binary packages
    of different versions from the same source package, and neither should
    we; they all migrate to testing as a unit anyway.

commit 19d7a885491d545e689e92d9db7e994a8ebc09ec
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Dec 23 13:07:22 2019 +0000

    d/tests/build: Use correct compiler for proposed autopkgtest cross-architecture testing support
    
    Closes: #946371

commit 17fe1422ec2713e977ab6318a6d6eec35db4f7a3
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Dec 23 13:05:52 2019 +0000

    d/tests/build: Fix shellcheck warnings

commit ebf5f588434dd59938bf7ff2f4e9c13bb075ef93
Author: Simon McVittie <smcv@debian.org>
Date:   Sun Sep 15 14:57:10 2019 +0100

    d/tests/build: Mark as superficial (see #904979)

Created: 2019-09-15 Last update: 2020-08-03 16:10

5 ignored security issues in buster low

There are 5 open security issues in buster.

5 issues skipped by the security teams:

CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
CVE-2018-18064: cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVE-2019-6461: An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVE-2017-7475: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVE-2017-9814: cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.

Please fix them.

Created: 2017-06-18 Last update: 2020-07-08 22:18

5 ignored security issues in stretch low

There are 5 open security issues in stretch.

5 issues skipped by the security teams:

CVE-2019-6462: An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized.
CVE-2018-18064: cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVE-2019-6461: An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVE-2017-7475: Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVE-2017-9814: cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) because of mishandling of an unexpected malloc(0) call.

Please fix them.

Created: 2017-04-29 Last update: 2020-07-08 22:18

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.3.0).

Created: 2019-07-08 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-03-20] cairo 1.16.0-4 MIGRATED to testing (Debian testing watch)
[2019-03-15] Accepted cairo 1.16.0-4 (source) into unstable (Simon McVittie)
[2019-03-05] cairo 1.16.0-3 MIGRATED to testing (Debian testing watch)
[2019-02-22] Accepted cairo 1.16.0-3 (source) into unstable (Sebastien Bacher)
[2018-12-26] cairo 1.16.0-2 MIGRATED to testing (Debian testing watch)
[2018-12-23] Accepted cairo 1.16.0-2 (source) into unstable (Jeremy Bicha)
[2018-10-23] cairo 1.16.0-1 MIGRATED to testing (Debian testing watch)
[2018-10-20] Accepted cairo 1.16.0-1 (source) into unstable (Jeremy Bicha)
[2018-08-26] cairo 1.15.12-1 MIGRATED to testing (Debian testing watch)
[2018-08-24] Accepted cairo 1.15.12-1 (source) into unstable (Jeremy Bicha)
[2018-04-24] cairo 1.15.10-3 MIGRATED to testing (Debian testing watch)
[2018-04-18] Accepted cairo 1.15.10-3 (source) into unstable (Emilio Pozuelo Monfort)
[2018-02-25] Accepted cairo 1.15.10-2 (source) into unstable (Jeremy Bicha)
[2018-02-08] cairo 1.15.10-1 MIGRATED to testing (Debian testing watch)
[2018-02-02] Accepted cairo 1.15.10-1 (source) into unstable (Jeremy Bicha)
[2017-12-27] cairo 1.15.8-3 MIGRATED to testing (Debian testing watch)
[2017-12-21] Accepted cairo 1.15.8-3 (source) into unstable (Jeremy Bicha)
[2017-10-30] cairo 1.15.8-2 MIGRATED to testing (Debian testing watch)
[2017-10-25] Accepted cairo 1.15.8-2 (source amd64 all) into unstable (Laurent Bigonville)
[2017-10-17] Accepted cairo 1.15.8-1 (source amd64 all) into experimental (Laurent Bigonville)
[2017-07-07] cairo 1.14.10-1 MIGRATED to testing (Debian testing watch)
[2017-07-02] Accepted cairo 1.14.10-1 (source) into unstable (Andreas Henriksson)
[2017-01-02] Accepted cairo 1.14.0-2.1+deb8u2 (all source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2016-12-24] cairo 1.14.8-1 MIGRATED to testing (Debian testing watch)
[2016-12-13] Accepted cairo 1.14.8-1 (source) into unstable (Emilio Pozuelo Monfort)
[2016-11-14] cairo 1.14.6-1.1 MIGRATED to testing (Debian testing watch)
[2016-11-04] Accepted cairo 1.14.6-1.1 (all source) into unstable (Salvatore Bonaccorso)
[2016-10-28] Accepted cairo 1.12.2-3+deb7u1 (source all amd64) into oldstable (Chris Lamb)
[2016-10-10] Accepted cairo 1.14.0-2.1+deb8u1~kbsd8u1 (source all) into stable-kfreebsd-proposed-updates (Steven Chamberlain)
[2016-03-21] Accepted cairo 1.14.0-2.1+deb8u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)

bugs [bug history graph]

all: 59 63
RC: 0
I&N: 55 59
M&W: 3
F&P: 1
patch: 5

links

homepage
lintian (3, 11)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.16.0-4ubuntu1
25 bugs (2 patches)
patches for 1.16.0-4ubuntu1