ASA-201902-19 generated external raw

[ASA-201902-19] cairo: arbitrary code execution
Arch Linux Security Advisory ASA-201902-19 ========================================== Severity: Critical Date : 2019-02-17 CVE-ID : CVE-2018-19876 Package : cairo Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-826 Summary ======= The package <a href="/package/cairo">cairo</a> before version 1.16.0-2 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.16.0-2. # pacman -Syu "cairo>=1.16.0-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A memory-corruption issue has been found in <a href="/package/cairo">cairo</a> versions <= 1.16.0, in the cairo_ft_apply_variations() function in cairo-ft-font.c. This function frees memory using the wrong free function, leading to memory corruption. As <a href="/package/cairo">cairo</a> is used, among others, by WebKitGTK+, this could be triggered by a crafted web content in some cases. Impact ====== A malicious remote user could execute arbitrary code by sending specially crafted web content. References ========== https://seclists.org/oss-sec/2018/q4/205 https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 https://security.archlinux.org/CVE-2018-19876