gnu: cairo: Fix CVE-2018-19876 and CVE-2020-35492.

* gnu/packages/patches/cairo-CVE-2018-19876.patch,
gnu/packages/patches/cairo-CVE-2020-35492.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gtk.scm (cairo)[replacement]: New field.
(cairo/fixed): New variable.
(cairo-xcb): Use package/inherit.

1 files changed, 11 insertions, 2 deletions

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index ee2c91264f..9fc4967181 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -124,6 +124,7 @@ tools have full access to view and control running applications.")
   (package
    (name "cairo")
    (version "1.16.0")
+   (replacement cairo/fixed)
    (source (origin
             (method url-fetch)
             (uri (string-append "https://cairographics.org/releases/cairo-"
@@ -174,6 +175,15 @@ affine transformation (scale, rotation, shear, etc.).")
    (license license:lgpl2.1) ; or Mozilla Public License 1.1
    (home-page "https://cairographics.org/")))
 
+(define cairo/fixed
+  (package
+    (inherit cairo)
+    (source (origin
+              (inherit (package-source cairo))
+              (patches (append (search-patches "cairo-CVE-2018-19876.patch"
+                                               "cairo-CVE-2020-35492.patch")
+                               (origin-patches (package-source cairo))))))))
+
 (define-public cairo-sans-poppler
   ;; Variant used to break the dependency cycle between Poppler and Cairo.
   (package/inherit cairo
@@ -181,8 +191,7 @@ affine transformation (scale, rotation, shear, etc.).")
     (properties `((hidden? . #t)))))
 
 (define-public cairo-xcb
-  (package
-    (inherit cairo)
+  (package/inherit cairo
     (name "cairo-xcb")
     (inputs
      `(("mesa" ,mesa)