On Mon, Nov 28, 2016 at 09:30:53PM +0200, Efraim Flashner wrote:
> The previous patch somehow stopped working for me, and I was getting
> complaints about unbound variable cairo/fixed, so I rewrote the patch to
> have every cairo use the patch separately.

Thanks for taking on this tricky bug fix!

> diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch

Please add a link to the patch source in the patch file. I know it can
be found in the linked bug report, but it does help readers to be
explicit, in my opinion.

Otherwise LGTM.

The patch is not in the cairo repo yet, AFAICT:

https://cgit.freedesktop.org/cairo/

But, Debian did use it:

https://anonscm.debian.org/cgit/collab-maint/cairo.git/tree/debian/patches/07_CVE-2016-9082.patch

Can you follow the upstream resolution of the bug in case they decide to
use a different patch?