[arch-commits] Commit in lib32-mesa/trunk (CVE-2013-1993.patch PKGBUILD)
Laurent Carlier
lcarlier at nymeria.archlinux.org
Sat Jun 22 10:55:12 UTC 2013
Date: Saturday, June 22, 2013 @ 12:55:12
Author: lcarlier
Revision: 93020
upgpkg: lib32-mesa 9.1.3-2
Sync with extra
Added:
lib32-mesa/trunk/CVE-2013-1993.patch
Modified:
lib32-mesa/trunk/PKGBUILD
---------------------+
CVE-2013-1993.patch | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 18 ++++++----
2 files changed, 93 insertions(+), 7 deletions(-)
Added: CVE-2013-1993.patch
===================================================================
--- CVE-2013-1993.patch (rev 0)
+++ CVE-2013-1993.patch 2013-06-22 10:55:12 UTC (rev 93020)
@@ -0,0 +1,82 @@
+From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Fri, 26 Apr 2013 23:31:58 +0000
+Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
+
+busIdStringLength is a CARD32 and needs to be bounds checked before adding
+one to it to come up with the total size to allocate, to avoid integer
+overflow leading to underallocation and writing data from the network past
+the end of the allocated buffer.
+
+NOTE: This is a candidate for stable release branches.
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Brian Paul <brianp at vmware.com>
+(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4)
+---
+diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
+index b1cdc9b..8f53bd7 100644
+--- a/src/glx/XF86dri.c
++++ b/src/glx/XF86dri.c
+@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include "xf86dristr.h"
++#include <limits.h>
+
+ static XExtensionInfo _xf86dri_info_data;
+ static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
+@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
+ }
+
+ if (rep.length) {
+- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) {
++ if (rep.busIdStringLength < INT_MAX)
++ *busIdString = calloc(rep.busIdStringLength + 1, 1);
++ else
++ *busIdString = NULL;
++ if (*busIdString == NULL) {
+ _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
+--
+cgit v0.9.0.2-2-gbebe
+From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Fri, 26 Apr 2013 23:33:03 +0000
+Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
+
+clientDriverNameLength is a CARD32 and needs to be bounds checked before
+adding one to it to come up with the total size to allocate, to avoid
+integer overflow leading to underallocation and writing data from the
+network past the end of the allocated buffer.
+
+NOTE: This is a candidate for stable release branches.
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Brian Paul <brianp at vmware.com>
+(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe)
+---
+diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
+index 8f53bd7..56e3557 100644
+--- a/src/glx/XF86dri.c
++++ b/src/glx/XF86dri.c
+@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
+ *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
+
+ if (rep.length) {
+- if (!
+- (*clientDriverName =
+- calloc(rep.clientDriverNameLength + 1, 1))) {
++ if (rep.clientDriverNameLength < INT_MAX)
++ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
++ else
++ *clientDriverName = NULL;
++ if (*clientDriverName == NULL) {
+ _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
+--
+cgit v0.9.0.2-2-gbebe
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2013-06-22 10:02:19 UTC (rev 93019)
+++ PKGBUILD 2013-06-22 10:55:12 UTC (rev 93020)
@@ -12,9 +12,18 @@
url="http://mesa3d.sourceforge.net"
license=('custom')
options=('!libtool')
-source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2)
-md5sums=('952ccd03547ed72333b64e1746cf8ada')
+source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2
+ CVE-2013-1993.patch)
+md5sums=('952ccd03547ed72333b64e1746cf8ada'
+ 'dc8dad7c9bc6a92bd9c33b27b9da825e')
+prepare() {
+ cd ${srcdir}/?esa-*
+
+ # fix CVE-2013-1993 merged upstream
+ patch -Np1 -i ${srcdir}/CVE-2013-1993.patch
+}
+
build() {
export CC="gcc -m32"
export CXX="g++ -m32"
@@ -23,11 +32,6 @@
cd ${srcdir}/?esa-*
- # pick 2 commits from master to
- # fix a nouveau crash: http://cgit.freedesktop.org/mesa/mesa/commit/?id=17f1cb1d99e66227d1e05925ef937643f5c1089a
- # and intel kwin slowness http://cgit.freedesktop.org/mesa/mesa/commit/?id=e062a4187d8ea518a39c913ae7562cf1d8ac3205
- # patch -Np1 -i ${srcdir}/git-fixes.patch
-
# our automake is far too new for their build system :)
autoreconf -vfi
More information about the arch-commits
mailing list