Date: Tuesday, July 2, 2013 @ 00:29:25 Author: lcarlier Revision: 189265
upgpkg: mesa 9.1.4-1 upstream update 9.1.4 Modified: mesa/trunk/PKGBUILD Deleted: mesa/trunk/CVE-2013-1993.patch ---------------------+ CVE-2013-1993.patch | 82 -------------------------------------------------- PKGBUILD | 19 +++-------- 2 files changed, 5 insertions(+), 96 deletions(-) Deleted: CVE-2013-1993.patch =================================================================== --- CVE-2013-1993.patch 2013-07-01 21:36:52 UTC (rev 189264) +++ CVE-2013-1993.patch 2013-07-01 22:29:25 UTC (rev 189265) @@ -1,82 +0,0 @@ -From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <[email protected]> -Date: Fri, 26 Apr 2013 23:31:58 +0000 -Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] - -busIdStringLength is a CARD32 and needs to be bounds checked before adding -one to it to come up with the total size to allocate, to avoid integer -overflow leading to underallocation and writing data from the network past -the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <[email protected]> -Signed-off-by: Alan Coopersmith <[email protected]> -Reviewed-by: Brian Paul <[email protected]> -(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index b1cdc9b..8f53bd7 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - #include <X11/extensions/Xext.h> - #include <X11/extensions/extutil.h> - #include "xf86dristr.h" -+#include <limits.h> - - static XExtensionInfo _xf86dri_info_data; - static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; -@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, - } - - if (rep.length) { -- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { -+ if (rep.busIdStringLength < INT_MAX) -+ *busIdString = calloc(rep.busIdStringLength + 1, 1); -+ else -+ *busIdString = NULL; -+ if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe -From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <[email protected]> -Date: Fri, 26 Apr 2013 23:33:03 +0000 -Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2] - -clientDriverNameLength is a CARD32 and needs to be bounds checked before -adding one to it to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <[email protected]> -Signed-off-by: Alan Coopersmith <[email protected]> -Reviewed-by: Brian Paul <[email protected]> -(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index 8f53bd7..56e3557 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, - *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; - - if (rep.length) { -- if (! -- (*clientDriverName = -- calloc(rep.clientDriverNameLength + 1, 1))) { -+ if (rep.clientDriverNameLength < INT_MAX) -+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); -+ else -+ *clientDriverName = NULL; -+ if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-07-01 21:36:52 UTC (rev 189264) +++ PKGBUILD 2013-07-01 22:29:25 UTC (rev 189265) @@ -4,8 +4,8 @@ pkgbase=mesa pkgname=('ati-dri' 'intel-dri' 'nouveau-dri' 'svga-dri' 'mesa' 'mesa-libgl') -pkgver=9.1.3 -pkgrel=2 +pkgver=9.1.4 +pkgrel=1 arch=('i686' 'x86_64') makedepends=('python2' 'libxml2' 'libx11' 'glproto' 'libdrm' 'dri2proto' 'libxxf86vm' 'libxdamage' 'libvdpau' 'wayland' 'llvm-amdgpu-snapshot' 'systemd') @@ -13,19 +13,10 @@ license=('custom') options=('!libtool') source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2 - LICENSE - CVE-2013-1993.patch) -md5sums=('952ccd03547ed72333b64e1746cf8ada' - '5c65a0fe315dd347e09b1f2826a1df5a' - 'dc8dad7c9bc6a92bd9c33b27b9da825e') + LICENSE) +md5sums=('a2c4e25d0e27918bc67f61bae04d0cb8' + '5c65a0fe315dd347e09b1f2826a1df5a') -prepare() { - cd ${srcdir}/?esa-* - - # fix CVE-2013-1993 merged upstream - patch -Np1 -i ${srcdir}/CVE-2013-1993.patch -} - build() { cd ${srcdir}/?esa-*
