=== modified file 'debian/changelog'
--- debian/changelog	2016-11-04 21:53:02 +0000
+++ debian/changelog	2016-11-04 22:40:01 +0000
@@ -1,3 +1,12 @@
+cairo (1.14.6-1ubuntu0.16.10.1) yakkety-security; urgency=medium
+
+   * SECURITY UPDATE: DoS attack based on using SVG to generate invalid
+     pointers from a _cairo_image_surface in write_png.
+     (Closes: #842289, LP: #1639372)
+     - CVE-2016-9082
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Fri, 04 Nov 2016 18:39:22 -0400
+
 cairo (1.14.6-1) unstable; urgency=medium
 
   * New upstream release.

=== modified file 'debian/control'
--- debian/control	2016-11-04 21:53:02 +0000
+++ debian/control	2016-11-04 22:06:30 +0000
@@ -1,7 +1,8 @@
 Source: cairo
 Section: libs
 Priority: optional
-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
 Uploaders: Sebastian Dröge <slomo@debian.org>,
            Emilio Pozuelo Monfort <pochu@debian.org>,
            Michael Biebl <biebl@debian.org>,

=== added file 'debian/patches/07_CVE-2016-9082.patch'
--- debian/patches/07_CVE-2016-9082.patch	1970-01-01 00:00:00 +0000
+++ debian/patches/07_CVE-2016-9082.patch	2016-10-30 12:25:37 +0000
@@ -0,0 +1,107 @@
+From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Thu, 20 Oct 2016 21:12:30 +1030
+Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
+
+Image data is often accessed using:
+
+  image->data + y * image->stride
+
+On 64-bit achitectures if the image data is > 4GB, this computation
+will overflow since both y and stride are 32-bit types.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98165
+---
+ boilerplate/cairo-boilerplate.c     | 4 +++-
+ src/cairo-image-compositor.c        | 4 ++--
+ src/cairo-image-surface-private.h   | 2 +-
+ src/cairo-mesh-pattern-rasterizer.c | 2 +-
+ src/cairo-png.c                     | 2 +-
+ src/cairo-script-surface.c          | 3 ++-
+ 6 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/boilerplate/cairo-boilerplate.c
++++ b/boilerplate/cairo-boilerplate.c
+@@ -42,6 +42,7 @@
+ #undef CAIRO_VERSION_H
+ #include "../cairo-version.h"
+ 
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+ #include <assert.h>
+@@ -976,7 +977,8 @@ cairo_surface_t *
+ cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
+ {
+     char format;
+-    int width, height, stride;
++    int width, height;
++    ptrdiff_t stride;
+     int x, y;
+     unsigned char *data;
+     cairo_surface_t *image = NULL;
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_rendere
+     pixman_image_t *src, *mask;
+     union {
+ 	struct fill {
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	    uint32_t pixel;
+ 	} fill;
+@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_rendere
+ 	struct finish {
+ 	    cairo_rectangle_int_t extents;
+ 	    int src_x, src_y;
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	} mask;
+     } u;
+--- a/src/cairo-image-surface-private.h
++++ b/src/cairo-image-surface-private.h
+@@ -71,7 +71,7 @@ struct _cairo_image_surface {
+ 
+     int width;
+     int height;
+-    int stride;
++    ptrdiff_t stride;
+     int depth;
+ 
+     unsigned owns_data : 1;
+--- a/src/cairo-mesh-pattern-rasterizer.c
++++ b/src/cairo-mesh-pattern-rasterizer.c
+@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int wid
+ 	tg += tg >> 16;
+ 	tb += tb >> 16;
+ 
+-	*((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
++	*((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
+ 	    ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
+     }
+ }
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -671,7 +671,7 @@ read_png (struct png_read_closure_t *png
+     }
+ 
+     for (i = 0; i < png_height; i++)
+-        row_pointers[i] = &data[i * stride];
++        row_pointers[i] = &data[i * (ptrdiff_t)stride];
+ 
+     png_read_image (png, row_pointers);
+     png_read_end (png, info);
+--- a/src/cairo-script-surface.c
++++ b/src/cairo-script-surface.c
+@@ -1201,7 +1201,8 @@ static cairo_status_t
+ _write_image_surface (cairo_output_stream_t *output,
+ 		      const cairo_image_surface_t *image)
+ {
+-    int stride, row, width;
++    int row, width;
++    ptrdiff_t stride;
+     uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
+     uint8_t *rowdata;
+     uint8_t *data;

=== modified file 'debian/patches/series'
--- debian/patches/series	2016-11-04 21:53:02 +0000
+++ debian/patches/series	2016-10-30 12:25:37 +0000
@@ -2,3 +2,4 @@
 02_am-maintainer-mode.patch
 03_export-symbols.patch
 06_hurd-map-noreserve.patch
+07_CVE-2016-9082.patch