CVE-2018-19876

Name	CVE-2018-19876
Description	cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	915801, 916389

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cairo (PTS)	jessie, jessie (lts)	1.14.0-2.1+deb8u3	fixed
	stretch (security), stretch (lts), stretch	1.14.8-1+deb9u1	fixed
	buster	1.16.0-4+deb10u1	fixed
	bullseye	1.16.0-5	fixed
	bookworm	1.16.0-7	fixed
	trixie	1.18.0-1	fixed
	sid	1.18.0-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
cairo	source	wheezy	(not affected)
cairo	source	jessie	(not affected)
cairo	source	stretch	(not affected)
cairo	source	(unstable)	1.16.0-4	915801, 916389

Notes

[stretch] - cairo <not-affected> (Vulnerable code introduced later)
[jessie] - cairo <not-affected> (Vulnerable code introduced later)
https://bugs.webkit.org/show_bug.cgi?id=191595
https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5
Code introduced in
https://gitlab.freedesktop.org/cairo/cairo/commit/616fb7a9f2612f6cc3472542a70ba3e8ccf16584 and
https://gitlab.freedesktop.org/cairo/cairo/commit/0fd0fd0ae9ad8cfb177bb844091de98c0235917e,
and became vulnerable with freetype 2.9 which allows to define a different allocator. Partially
fixed in https://gitlab.freedesktop.org/cairo/cairo/commit/c3659d7ef662b55949307ece7b1f613a7dc32620
https://gitlab.freedesktop.org/cairo/cairo/commit/90e85c2493fdfa3551f202ff10282463f1e36645
[wheezy] - cairo <not-affected> (Vulnerable code introduced later)