Normal x11-libs/cairo-1.16.0-r3 has high and medium CVEs
- https://nvd.nist.gov/vuln/detail/CVE-2019-6461
- https://nvd.nist.gov/vuln/detail/CVE-2019-6462
- https://nvd.nist.gov/vuln/detail/CVE-2020-35492
more details about CVE-2020-35492 (the high severity one)
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
https://bugzilla.redhat.com/show_bug.cgi?id=1898396
this redhat discussion is worth noting:
This flaw has an adjusted CVSS score for cairo as shipped with Red Hat Enterprise Linux 8 because cairo is built with binary protections which limit the impact
found using https://github.com/mrl5/vulner
example packages depending on cairo:
$ equery d cairo <REDACTED> app-office/libreoffice-bin-7.3.0.3 (x11-libs/cairo[X]) media-gfx/gimp-2.10.20 (>=x11-libs/cairo-1.12.2) net-im/discord-bin-0.0.16 (x11-libs/cairo) net-im/slack-bin-4.23.0-r1 (x11-libs/cairo:0[-mgorny(-)]) www-client/firefox-bin-96.0.3 (>=x11-libs/cairo-1.10[X]) www-client/google-chrome-98.0.4758.80 (x11-libs/cairo)
