Comment 0 for bug 1639372

I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update.

Proof of Concept at
http://seclists.org/oss-sec/2016/q4/44

I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened.

I reproduced the crash and verified that the new package doesn't crash on xenial and yakkety only. I did not test on trusty.