Sun Jun 23 01:07:36 PDT 2013

author: root <root@rshg054.dnsready.net> 2013-06-23 01:08:06 -0700
committer: root <root@rshg054.dnsready.net> 2013-06-23 01:08:06 -0700
commit: 8d87c082149a6574a1d17d3c28ab2cb65a1e1d96 (patch)
tree: 6d3d045445c0e8f363e2ea3cc903912546fc0b5c /extra/mesa
parent: 946a83c478943914bcf576bd772689ef74c27fdd (diff)
2 files changed, 98 insertions, 13 deletions
diff --git a/extra/mesa/CVE-2013-1993.patch b/extra/mesa/CVE-2013-1993.patch
new file mode 100644
index 000000000..00f723d35
--- /dev/null
+++ b/extra/mesa/CVE-2013-1993.patch
@@ -0,0 +1,82 @@
+From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 26 Apr 2013 23:31:58 +0000
+Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
+
+busIdStringLength is a CARD32 and needs to be bounds checked before adding
+one to it to come up with the total size to allocate, to avoid integer
+overflow leading to underallocation and writing data from the network past
+the end of the allocated buffer.
+
+NOTE: This is a candidate for stable release branches.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Brian Paul <brianp@vmware.com>
+(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4)
+---
+diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
+index b1cdc9b..8f53bd7 100644
+--- a/src/glx/XF86dri.c
++++ b/src/glx/XF86dri.c
+@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include "xf86dristr.h"
++#include <limits.h>
+ 
+ static XExtensionInfo _xf86dri_info_data;
+ static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
+@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
+    }
+ 
+    if (rep.length) {
+-      if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) {
++      if (rep.busIdStringLength < INT_MAX)
++         *busIdString = calloc(rep.busIdStringLength + 1, 1);
++      else
++         *busIdString = NULL;
++      if (*busIdString == NULL) {
+          _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+          UnlockDisplay(dpy);
+          SyncHandle();
+--
+cgit v0.9.0.2-2-gbebe
+From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 26 Apr 2013 23:33:03 +0000
+Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
+
+clientDriverNameLength is a CARD32 and needs to be bounds checked before
+adding one to it to come up with the total size to allocate, to avoid
+integer overflow leading to underallocation and writing data from the
+network past the end of the allocated buffer.
+
+NOTE: This is a candidate for stable release branches.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Brian Paul <brianp@vmware.com>
+(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe)
+---
+diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
+index 8f53bd7..56e3557 100644
+--- a/src/glx/XF86dri.c
++++ b/src/glx/XF86dri.c
+@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
+    *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
+ 
+    if (rep.length) {
+-      if (!
+-          (*clientDriverName =
+-           calloc(rep.clientDriverNameLength + 1, 1))) {
++      if (rep.clientDriverNameLength < INT_MAX)
++         *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
++      else
++         *clientDriverName = NULL;
++      if (*clientDriverName == NULL) {
+          _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+          UnlockDisplay(dpy);
+          SyncHandle();
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/extra/mesa/PKGBUILD b/extra/mesa/PKGBUILD
index 4fd8cbc0b..6990f754e 100644
--- a/extra/mesa/PKGBUILD
+++ b/extra/mesa/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 186351 2013-05-25 08:49:44Z andyrtr $
+# $Id: PKGBUILD 188839 2013-06-22 10:51:37Z lcarlier $
 # Maintainer: Jan de Groot <jgc@archlinux.org>
 # Maintainer: Andreas Radke <andyrtr@archlinux.org>
 
 pkgbase=mesa
 pkgname=('ati-dri' 'intel-dri' 'nouveau-dri' 'svga-dri' 'mesa' 'mesa-libgl')
 pkgver=9.1.3
-pkgrel=1
+pkgrel=2
 arch=('i686' 'x86_64')
 makedepends=('python2' 'libxml2' 'libx11' 'glproto' 'libdrm' 'dri2proto' 'libxxf86vm' 'libxdamage'
              'libvdpau' 'wayland' 'llvm-amdgpu-snapshot' 'systemd')
@@ -13,18 +13,21 @@ url="http://mesa3d.sourceforge.net"
 license=('custom')
 options=('!libtool')
 source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2
-	#ftp://ftp.freedesktop.org/pub/mesa/9.1/MesaLib-9.1-rc2.tar.bz2 # for RC testing
-        LICENSE)
+        LICENSE
+	CVE-2013-1993.patch)
 md5sums=('952ccd03547ed72333b64e1746cf8ada'
-         '5c65a0fe315dd347e09b1f2826a1df5a')
+         '5c65a0fe315dd347e09b1f2826a1df5a'
+         'dc8dad7c9bc6a92bd9c33b27b9da825e')
 
-build() {
+prepare() {
     cd ${srcdir}/?esa-*
 
-    # pick 2 commits from master to
-    # fix a nouveau crash: http://cgit.freedesktop.org/mesa/mesa/commit/?id=17f1cb1d99e66227d1e05925ef937643f5c1089a
-    # and intel kwin slowness http://cgit.freedesktop.org/mesa/mesa/commit/?id=e062a4187d8ea518a39c913ae7562cf1d8ac3205
-    #patch -Np1 -i ${srcdir}/git-fixes.patch
+    # fix CVE-2013-1993 merged upstream
+    patch -Np1 -i ${srcdir}/CVE-2013-1993.patch
+}
+
+build() {
+    cd ${srcdir}/?esa-*
 
     autoreconf -vfi # our automake is far too new for their build system :)
 
@@ -60,7 +63,7 @@ build() {
 
 package_ati-dri() {
   pkgdesc="Mesa drivers for AMD/ATI Radeon"
-  depends=("mesa-libgl=${pkgver}" 'llvm-amdgpu-lib-snapshot')
+  depends=("mesa-libgl=${pkgver}")
   conflicts=('xf86-video-ati<6.9.0-6')
 
   install -m755 -d ${pkgdir}/usr/lib/vdpau/
@@ -89,7 +92,7 @@ package_intel-dri() {
 
 package_nouveau-dri() {
   pkgdesc="Mesa drivers for Nouveau"
-  depends=("mesa-libgl=${pkgver}" 'llvm-amdgpu-lib-snapshot')
+  depends=("mesa-libgl=${pkgver}")
 
   install -m755 -d ${pkgdir}/usr/lib/vdpau/
   mv -v ${srcdir}/fakeinstall/usr/lib/vdpau/libvdpau_nouveau.* ${pkgdir}/usr/lib/vdpau/
@@ -106,7 +109,7 @@ package_nouveau-dri() {
 
 package_svga-dri() {
   pkgdesc="Gallium3D VMware guest GL driver"
-  depends=('gcc-libs' 'libdrm' 'expat' 'libffi' 'llvm-amdgpu-lib-snapshot')
+  depends=('libdrm' 'expat' 'llvm-amdgpu-lib-snapshot')
 
   install -m755 -d ${pkgdir}/usr/lib/xorg/modules/dri
   mv -v ${srcdir}/fakeinstall/usr/lib/xorg/modules/dri/vmwgfx_dri.so ${pkgdir}/usr/lib/xorg/modules/dri/
author	root <root@rshg054.dnsready.net>	2013-06-23 01:08:06 -0700
committer	root <root@rshg054.dnsready.net>	2013-06-23 01:08:06 -0700
commit	8d87c082149a6574a1d17d3c28ab2cb65a1e1d96 (patch)
tree	6d3d045445c0e8f363e2ea3cc903912546fc0b5c /extra/mesa
parent	946a83c478943914bcf576bd772689ef74c27fdd (diff)