There's a closed pull request on the void-packages repository

cairo: fix CVE-2018-19876.
https://github.com/void-linux/void-packages/pull/20205

Description:
Other backports from Fedora.