Security update for cairo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03449-1 Final 1 1 2025-10-02T07:15:18Z current 2025-10-02T07:15:18Z 2025-10-02T07:15:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cairo This update for cairo fixes the following issues: - CVE-2025-50422: Fixed Poppler crash on malformed input (bsc#1247589) - Update to version 1.18.4: + The dependency on LZO has been made optional through a build time configuration toggle. + You can build Cairo against a Freetype installation that does not have the FT_Color type. + Cairo tests now build on Solaris 11.4 with GCC 14. + The DirectWrite backend now builds on MINGW 11. + The DirectWrite backend now supports font variations and proper glyph coverage. - Use tarball in lieu of source service due to freedesktop gitlab migration, will switch back at next release at the latest. - Add pkgconfig(lzo2) BuildRequires: New optional dependency, build lzo2 support feature. - Convert to source service: allows for easier upgrades by the GNOME team. - Update to version 1.18.2: + The malloc-stats code has been removed from the tests directory + Cairo now requires a version of pixman equal to, or newer than, 0.40. + There have been multiple build fixes for newer versions of GCC for MSVC; for Solaris; and on macOS 10.7. + PNG errors caused by loading malformed data are correctly propagated to callers, so they can handle the case. + Both stroke and fill colors are now set when showing glyphs on a PDF surface. + All the font options are copied when creating a fallback font object. + When drawing text on macOS, Cairo now tries harder to select the appropriate font name. + Cairo now prefers the COLRv1 table inside a font, if one is available. + Cairo requires a C11 toolchain when building. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/kiosk/firefox-esr:latest-2025-3449,Container suse/kiosk/pulseaudio:latest-2025-3449,Image SLES15-SP6-SAP-Azure-3P-2025-3449,Image SLES15-SP7-SAP-Azure-3P-2025-3449,SUSE-2025-3449,SUSE-SLE-Module-Basesystem-15-SP6-2025-3449,SUSE-SLE-Module-Basesystem-15-SP7-2025-3449,SUSE-SLE-Module-Desktop-Applications-15-SP6-2025-3449,SUSE-SLE-Module-Desktop-Applications-15-SP7-2025-3449,openSUSE-SLE-15.6-2025-3449 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503449-1/ Link for SUSE-SU-2025:03449-1 https://lists.suse.com/pipermail/sle-updates/2025-October/041995.html E-Mail link for SUSE-SU-2025:03449-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1247589 SUSE Bug 1247589 https://www.suse.com/security/cve/CVE-2025-50422/ SUSE CVE CVE-2025-50422 page Container suse/kiosk/firefox-esr:latest Container suse/kiosk/pulseaudio:latest Image SLES15-SP6-SAP-Azure-3P Image SLES15-SP7-SAP-Azure-3P SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Module for Desktop Applications 15 SP6 SUSE Linux Enterprise Module for Desktop Applications 15 SP7 openSUSE Leap 15.6 libcairo-gobject2-1.18.4-150600.3.3.1 libcairo2-1.18.4-150600.3.3.1 cairo-devel-1.18.4-150600.3.3.1 cairo-devel-32bit-1.18.4-150600.3.3.1 cairo-devel-64bit-1.18.4-150600.3.3.1 cairo-tools-1.18.4-150600.3.3.1 libcairo-gobject2-32bit-1.18.4-150600.3.3.1 libcairo-gobject2-64bit-1.18.4-150600.3.3.1 libcairo-script-interpreter2-1.18.4-150600.3.3.1 libcairo-script-interpreter2-32bit-1.18.4-150600.3.3.1 libcairo-script-interpreter2-64bit-1.18.4-150600.3.3.1 libcairo2-32bit-1.18.4-150600.3.3.1 libcairo2-64bit-1.18.4-150600.3.3.1 libcairo-gobject2-1.18.4-150600.3.3.1 as a component of Container suse/kiosk/firefox-esr:latest libcairo2-1.18.4-150600.3.3.1 as a component of Container suse/kiosk/firefox-esr:latest libcairo2-1.18.4-150600.3.3.1 as a component of Container suse/kiosk/pulseaudio:latest libcairo2-1.18.4-150600.3.3.1 as a component of Image SLES15-SP6-SAP-Azure-3P libcairo2-1.18.4-150600.3.3.1 as a component of Image SLES15-SP7-SAP-Azure-3P cairo-devel-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libcairo-gobject2-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libcairo-script-interpreter2-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libcairo2-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 cairo-devel-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcairo-gobject2-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcairo-script-interpreter2-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcairo2-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libcairo2-32bit-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP6 libcairo2-32bit-1.18.4-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP7 cairo-devel-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 cairo-devel-32bit-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 cairo-tools-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 libcairo-gobject2-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 libcairo-gobject2-32bit-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 libcairo-script-interpreter2-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 libcairo-script-interpreter2-32bit-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 libcairo2-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 libcairo2-32bit-1.18.4-150600.3.3.1 as a component of openSUSE Leap 15.6 Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c. CVE-2025-50422 Container suse/kiosk/firefox-esr:latest:libcairo-gobject2-1.18.4-150600.3.3.1 Container suse/kiosk/firefox-esr:latest:libcairo2-1.18.4-150600.3.3.1 Container suse/kiosk/pulseaudio:latest:libcairo2-1.18.4-150600.3.3.1 Image SLES15-SP6-SAP-Azure-3P:libcairo2-1.18.4-150600.3.3.1 Image SLES15-SP7-SAP-Azure-3P:libcairo2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:cairo-devel-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcairo-gobject2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcairo-script-interpreter2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libcairo2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:cairo-devel-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcairo-gobject2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcairo-script-interpreter2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libcairo2-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:libcairo2-32bit-1.18.4-150600.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP7:libcairo2-32bit-1.18.4-150600.3.3.1 openSUSE Leap 15.6:cairo-devel-1.18.4-150600.3.3.1 openSUSE Leap 15.6:cairo-devel-32bit-1.18.4-150600.3.3.1 openSUSE Leap 15.6:cairo-tools-1.18.4-150600.3.3.1 openSUSE Leap 15.6:libcairo-gobject2-1.18.4-150600.3.3.1 openSUSE Leap 15.6:libcairo-gobject2-32bit-1.18.4-150600.3.3.1 openSUSE Leap 15.6:libcairo-script-interpreter2-1.18.4-150600.3.3.1 openSUSE Leap 15.6:libcairo-script-interpreter2-32bit-1.18.4-150600.3.3.1 openSUSE Leap 15.6:libcairo2-1.18.4-150600.3.3.1 openSUSE Leap 15.6:libcairo2-32bit-1.18.4-150600.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503449-1/ https://www.suse.com/security/cve/CVE-2025-50422.html CVE-2025-50422 https://bugzilla.suse.com/1247589 SUSE Bug 1247589