diff options
Diffstat (limited to 'extra/mesa')
| -rw-r--r-- | extra/mesa/CVE-2013-1993.patch | 82 | ||||
| -rw-r--r-- | extra/mesa/PKGBUILD | 21 |
2 files changed, 6 insertions, 97 deletions
diff --git a/extra/mesa/CVE-2013-1993.patch b/extra/mesa/CVE-2013-1993.patch deleted file mode 100644 index 00f723d35..000000000 --- a/extra/mesa/CVE-2013-1993.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 26 Apr 2013 23:31:58 +0000 -Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] - -busIdStringLength is a CARD32 and needs to be bounds checked before adding -one to it to come up with the total size to allocate, to avoid integer -overflow leading to underallocation and writing data from the network past -the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Brian Paul <brianp@vmware.com> -(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index b1cdc9b..8f53bd7 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - #include <X11/extensions/Xext.h> - #include <X11/extensions/extutil.h> - #include "xf86dristr.h" -+#include <limits.h> - - static XExtensionInfo _xf86dri_info_data; - static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; -@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, - } - - if (rep.length) { -- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { -+ if (rep.busIdStringLength < INT_MAX) -+ *busIdString = calloc(rep.busIdStringLength + 1, 1); -+ else -+ *busIdString = NULL; -+ if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe -From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 26 Apr 2013 23:33:03 +0000 -Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2] - -clientDriverNameLength is a CARD32 and needs to be bounds checked before -adding one to it to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Brian Paul <brianp@vmware.com> -(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index 8f53bd7..56e3557 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, - *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; - - if (rep.length) { -- if (! -- (*clientDriverName = -- calloc(rep.clientDriverNameLength + 1, 1))) { -+ if (rep.clientDriverNameLength < INT_MAX) -+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); -+ else -+ *clientDriverName = NULL; -+ if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe diff --git a/extra/mesa/PKGBUILD b/extra/mesa/PKGBUILD index 4fa536edd..5f8d193eb 100644 --- a/extra/mesa/PKGBUILD +++ b/extra/mesa/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 188839 2013-06-22 10:51:37Z lcarlier $ +# $Id: PKGBUILD 189266 2013-07-01 22:29:39Z lcarlier $ # Maintainer: Jan de Groot <jgc@archlinux.org> # Maintainer: Andreas Radke <andyrtr@archlinux.org> pkgbase=mesa pkgname=('mesa' 'mesa-libgl') -pkgver=9.1.3 -pkgrel=2 +pkgver=9.1.4 +pkgrel=1 arch=('i686' 'x86_64' 'mips64el') makedepends=('python2' 'libxml2' 'libx11' 'glproto' 'libdrm' 'dri2proto' 'libxxf86vm' 'libxdamage' 'wayland' 'systemd') @@ -17,18 +17,9 @@ url="http://mesa3d.sourceforge.net" license=('custom') options=('!libtool') source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2 - LICENSE - CVE-2013-1993.patch) -md5sums=('952ccd03547ed72333b64e1746cf8ada' - '5c65a0fe315dd347e09b1f2826a1df5a' - 'dc8dad7c9bc6a92bd9c33b27b9da825e') - -prepare() { - cd ${srcdir}/?esa-* - - # fix CVE-2013-1993 merged upstream - patch -Np1 -i ${srcdir}/CVE-2013-1993.patch -} + LICENSE) +md5sums=('a2c4e25d0e27918bc67f61bae04d0cb8' + '5c65a0fe315dd347e09b1f2826a1df5a') build() { cd ${srcdir}/?esa-* |