[cairo] Potential Side-channel in Cairo Graphics Library

Paul Menzel pmenzel+cairo at molgen.mpg.de
Tue Feb 19 08:20:52 UTC 2019

Dear Daimeng,

On 19.02.19 04:49, Daimeng Wang wrote:

> We're a group of researchers from University of California Riverside. We
> recently discovered that some functions in Cairo graphics
> library take variable amount of time depending on the input character. As a
> result, an unprivileged attacker could potentially utilize flush+reload
> cache side-channel attack to measure the execution time of said functions
> to infer users' text input. We verified this using the Onboard app that
> comes with Ubuntu 16.04.
> For detailed information please refer to our paper in the link below. We
> would be very happy to work with you to address this issue. Please let us
> know what you think.
> https://www.cs.ucr.edu/~zhiyunq/pub/ndss19_cache_keystrokes.pdf

Thank you very much for your message, and analyzing these issues. As 
this is possibly a security issue, I suggest that you contact the 
security teams of the major distribution (Red Hat, SUSE, Ubuntu, Debian, 
…), as they are also interested in this and have often paid developers 
being able to help to fix these issues.

Kind regards,


More information about the cairo mailing list