From 8d87c082149a6574a1d17d3c28ab2cb65a1e1d96 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 23 Jun 2013 01:08:06 -0700 Subject: Sun Jun 23 01:07:36 PDT 2013 --- extra/mesa/CVE-2013-1993.patch | 82 ++++++++++++++++++++++++++++++++++++++++++ extra/mesa/PKGBUILD | 29 ++++++++------- 2 files changed, 98 insertions(+), 13 deletions(-) create mode 100644 extra/mesa/CVE-2013-1993.patch (limited to 'extra/mesa') diff --git a/extra/mesa/CVE-2013-1993.patch b/extra/mesa/CVE-2013-1993.patch new file mode 100644 index 000000000..00f723d35 --- /dev/null +++ b/extra/mesa/CVE-2013-1993.patch @@ -0,0 +1,82 @@ +From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 26 Apr 2013 23:31:58 +0000 +Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] + +busIdStringLength is a CARD32 and needs to be bounds checked before adding +one to it to come up with the total size to allocate, to avoid integer +overflow leading to underallocation and writing data from the network past +the end of the allocated buffer. + +NOTE: This is a candidate for stable release branches. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Brian Paul +(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4) +--- +diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c +index b1cdc9b..8f53bd7 100644 +--- a/src/glx/XF86dri.c ++++ b/src/glx/XF86dri.c +@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + #include + #include + #include "xf86dristr.h" ++#include + + static XExtensionInfo _xf86dri_info_data; + static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; +@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, + } + + if (rep.length) { +- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { ++ if (rep.busIdStringLength < INT_MAX) ++ *busIdString = calloc(rep.busIdStringLength + 1, 1); ++ else ++ *busIdString = NULL; ++ if (*busIdString == NULL) { + _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + UnlockDisplay(dpy); + SyncHandle(); +-- +cgit v0.9.0.2-2-gbebe +From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 26 Apr 2013 23:33:03 +0000 +Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2] + +clientDriverNameLength is a CARD32 and needs to be bounds checked before +adding one to it to come up with the total size to allocate, to avoid +integer overflow leading to underallocation and writing data from the +network past the end of the allocated buffer. + +NOTE: This is a candidate for stable release branches. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Brian Paul +(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe) +--- +diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c +index 8f53bd7..56e3557 100644 +--- a/src/glx/XF86dri.c ++++ b/src/glx/XF86dri.c +@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, + *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; + + if (rep.length) { +- if (! +- (*clientDriverName = +- calloc(rep.clientDriverNameLength + 1, 1))) { ++ if (rep.clientDriverNameLength < INT_MAX) ++ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); ++ else ++ *clientDriverName = NULL; ++ if (*clientDriverName == NULL) { + _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + UnlockDisplay(dpy); + SyncHandle(); +-- +cgit v0.9.0.2-2-gbebe diff --git a/extra/mesa/PKGBUILD b/extra/mesa/PKGBUILD index 4fd8cbc0b..6990f754e 100644 --- a/extra/mesa/PKGBUILD +++ b/extra/mesa/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 186351 2013-05-25 08:49:44Z andyrtr $ +# $Id: PKGBUILD 188839 2013-06-22 10:51:37Z lcarlier $ # Maintainer: Jan de Groot # Maintainer: Andreas Radke pkgbase=mesa pkgname=('ati-dri' 'intel-dri' 'nouveau-dri' 'svga-dri' 'mesa' 'mesa-libgl') pkgver=9.1.3 -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') makedepends=('python2' 'libxml2' 'libx11' 'glproto' 'libdrm' 'dri2proto' 'libxxf86vm' 'libxdamage' 'libvdpau' 'wayland' 'llvm-amdgpu-snapshot' 'systemd') @@ -13,18 +13,21 @@ url="http://mesa3d.sourceforge.net" license=('custom') options=('!libtool') source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2 - #ftp://ftp.freedesktop.org/pub/mesa/9.1/MesaLib-9.1-rc2.tar.bz2 # for RC testing - LICENSE) + LICENSE + CVE-2013-1993.patch) md5sums=('952ccd03547ed72333b64e1746cf8ada' - '5c65a0fe315dd347e09b1f2826a1df5a') + '5c65a0fe315dd347e09b1f2826a1df5a' + 'dc8dad7c9bc6a92bd9c33b27b9da825e') -build() { +prepare() { cd ${srcdir}/?esa-* - # pick 2 commits from master to - # fix a nouveau crash: http://cgit.freedesktop.org/mesa/mesa/commit/?id=17f1cb1d99e66227d1e05925ef937643f5c1089a - # and intel kwin slowness http://cgit.freedesktop.org/mesa/mesa/commit/?id=e062a4187d8ea518a39c913ae7562cf1d8ac3205 - #patch -Np1 -i ${srcdir}/git-fixes.patch + # fix CVE-2013-1993 merged upstream + patch -Np1 -i ${srcdir}/CVE-2013-1993.patch +} + +build() { + cd ${srcdir}/?esa-* autoreconf -vfi # our automake is far too new for their build system :) @@ -60,7 +63,7 @@ build() { package_ati-dri() { pkgdesc="Mesa drivers for AMD/ATI Radeon" - depends=("mesa-libgl=${pkgver}" 'llvm-amdgpu-lib-snapshot') + depends=("mesa-libgl=${pkgver}") conflicts=('xf86-video-ati<6.9.0-6') install -m755 -d ${pkgdir}/usr/lib/vdpau/ @@ -89,7 +92,7 @@ package_intel-dri() { package_nouveau-dri() { pkgdesc="Mesa drivers for Nouveau" - depends=("mesa-libgl=${pkgver}" 'llvm-amdgpu-lib-snapshot') + depends=("mesa-libgl=${pkgver}") install -m755 -d ${pkgdir}/usr/lib/vdpau/ mv -v ${srcdir}/fakeinstall/usr/lib/vdpau/libvdpau_nouveau.* ${pkgdir}/usr/lib/vdpau/ @@ -106,7 +109,7 @@ package_nouveau-dri() { package_svga-dri() { pkgdesc="Gallium3D VMware guest GL driver" - depends=('gcc-libs' 'libdrm' 'expat' 'libffi' 'llvm-amdgpu-lib-snapshot') + depends=('libdrm' 'expat' 'llvm-amdgpu-lib-snapshot') install -m755 -d ${pkgdir}/usr/lib/xorg/modules/dri mv -v ${srcdir}/fakeinstall/usr/lib/xorg/modules/dri/vmwgfx_dri.so ${pkgdir}/usr/lib/xorg/modules/dri/ -- cgit v1.2.3-54-g00ecf