oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: [ANNOUNCE] pixman release 0.42.2 now available

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 4 Nov 2022 18:30:26 -0700
As noted in the attached announcement pixman release 0.42.2 includes a fix for a
out-of-bounds write reported by Maddie Stone of Google's Project Zero, which has
now been assigned CVE-2022-44638.

--
    -Alan Coopersmith-              alan.coopersmith () oracle com
      X.Org Security Response Team - xorg-security () lists x org
--- Begin Message --- From: Matt Turner <mattst88 () gmail com>
Date: Wed, 2 Nov 2022 13:37:14 -0400
A new pixman release 0.42.2 is now available. This is a stable release
in the 0.42 series.

This version contains a fix for a heap overflow. A CVE has been
requested, and I'll reply to this email with the number when it is
allocated. 

See https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395
and https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 for more information.

Thanks to Maddie Stone and Google's Project Zero for discovering this
issue, providing a proof-of-concept, and a great analysis.

tar.gz:
        https://cairographics.org/releases/pixman-0.42.2.tar.gz
        https://www.x.org/releases/individual/lib/pixman-0.42.2.tar.gz

tar.xz:
        https://www.x.org/releases/individual/lib/pixman-0.42.2.tar.xz

Hashes:
        SHA256: ea1480efada2fd948bc75366f7c349e1c96d3297d09a3fe62626e38e234a625e  pixman-0.42.2.tar.gz
        SHA256: 5747d2ec498ad0f1594878cc897ef5eb6c29e91c53b899f7f71b506785fc1376  pixman-0.42.2.tar.xz
        SHA512: 
0a4e327aef89c25f8cb474fbd01de834fd2a1b13fdf7db11ab72072082e45881cd16060673b59d02054b1711ae69c6e2395f6ae9214225ee7153939efcd2fa5d
  pixman-0.42.2.tar.gz
        SHA512: 
3476e2676e66756b1af61b1e532cd80c985c191fb7956eb01702b419726cce99e79163b7f287f74f66414680e7396d13c3fee525cd663f12b6ac4877070ff4e8
  pixman-0.42.2.tar.xz

GPG signature:
        https://cairographics.org/releases/pixman-0.42.2.tar.gz.sha512.asc
        (signed by [ultimate] Matt Turner <mattst88 () gmail com>
         [ultimate] Matt Turner <mattst88 () gentoo org>
         [ultimate] Matt Turner <mattst88 () freedesktop org>
         [ultimate] Matt Turner <msturner () google com>)

Git:
        https://gitlab.freedesktop.org/pixman/pixman.git
        tag: pixman-0.42.2

Log:
        Matt Turner (4):
              build: Add a64-neon-test.S to EXTRA_DIST
              Revert "Fix signed-unsigned semantics in reduce_32"
              Avoid integer overflow leading to out-of-bounds write
              Pre-release version bump to 0.42.2
        
        Simon Ser (3):
              Post-release version bump to 0.42.1
              meson: override pixman-1 dependency
              meson: explicitly set C standard to gnu99
        
        Thomas Klausner (2):
              configure.ac: avoid unportable test(1) operator
              Makefile.am: increase shell portability

Attachment: signature.asc
Description:


--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: