Date: Tuesday, July 2, 2013 @ 01:11:26 Author: lcarlier Revision: 93325
upgpkg: lib32-mesa 9.1.4-1 Sync with extra Modified: lib32-mesa/trunk/PKGBUILD Deleted: lib32-mesa/trunk/CVE-2013-1993.patch lib32-mesa/trunk/git-fixes.patch ---------------------+ CVE-2013-1993.patch | 82 -------------------------------------------------- PKGBUILD | 17 ++-------- git-fixes.patch | 52 ------------------------------- 3 files changed, 4 insertions(+), 147 deletions(-) Deleted: CVE-2013-1993.patch =================================================================== --- CVE-2013-1993.patch 2013-07-01 22:56:17 UTC (rev 93324) +++ CVE-2013-1993.patch 2013-07-01 23:11:26 UTC (rev 93325) @@ -1,82 +0,0 @@ -From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <[email protected]> -Date: Fri, 26 Apr 2013 23:31:58 +0000 -Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] - -busIdStringLength is a CARD32 and needs to be bounds checked before adding -one to it to come up with the total size to allocate, to avoid integer -overflow leading to underallocation and writing data from the network past -the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <[email protected]> -Signed-off-by: Alan Coopersmith <[email protected]> -Reviewed-by: Brian Paul <[email protected]> -(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index b1cdc9b..8f53bd7 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - #include <X11/extensions/Xext.h> - #include <X11/extensions/extutil.h> - #include "xf86dristr.h" -+#include <limits.h> - - static XExtensionInfo _xf86dri_info_data; - static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; -@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, - } - - if (rep.length) { -- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { -+ if (rep.busIdStringLength < INT_MAX) -+ *busIdString = calloc(rep.busIdStringLength + 1, 1); -+ else -+ *busIdString = NULL; -+ if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe -From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <[email protected]> -Date: Fri, 26 Apr 2013 23:33:03 +0000 -Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2] - -clientDriverNameLength is a CARD32 and needs to be bounds checked before -adding one to it to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel <[email protected]> -Signed-off-by: Alan Coopersmith <[email protected]> -Reviewed-by: Brian Paul <[email protected]> -(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index 8f53bd7..56e3557 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, - *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; - - if (rep.length) { -- if (! -- (*clientDriverName = -- calloc(rep.clientDriverNameLength + 1, 1))) { -+ if (rep.clientDriverNameLength < INT_MAX) -+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); -+ else -+ *clientDriverName = NULL; -+ if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-07-01 22:56:17 UTC (rev 93324) +++ PKGBUILD 2013-07-01 23:11:26 UTC (rev 93325) @@ -4,26 +4,17 @@ pkgbase=lib32-mesa pkgname=('lib32-ati-dri' 'lib32-intel-dri' 'lib32-nouveau-dri' 'lib32-mesa' 'lib32-mesa-libgl') -pkgver=9.1.3 -pkgrel=3 +pkgver=9.1.4 +pkgrel=1 arch=('x86_64') makedepends=('python2' 'lib32-libxml2' 'lib32-expat' 'lib32-libx11' 'glproto' 'lib32-libdrm' 'dri2proto' 'lib32-libxxf86vm' 'lib32-libxdamage' 'gcc-multilib' 'lib32-llvm-amdgpu-snapshot' 'lib32-systemd') url="http://mesa3d.sourceforge.net"; license=('custom') options=('!libtool') -source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2 - CVE-2013-1993.patch) -md5sums=('952ccd03547ed72333b64e1746cf8ada' - 'dc8dad7c9bc6a92bd9c33b27b9da825e') +source=(ftp://ftp.freedesktop.org/pub/mesa/${pkgver}/MesaLib-${pkgver}.tar.bz2) +md5sums=('a2c4e25d0e27918bc67f61bae04d0cb8') -prepare() { - cd ${srcdir}/?esa-* - - # fix CVE-2013-1993 merged upstream - patch -Np1 -i ${srcdir}/CVE-2013-1993.patch -} - build() { export CC="gcc -m32" export CXX="g++ -m32" Deleted: git-fixes.patch =================================================================== --- git-fixes.patch 2013-07-01 22:56:17 UTC (rev 93324) +++ git-fixes.patch 2013-07-01 23:11:26 UTC (rev 93325) @@ -1,52 +0,0 @@ -From 17f1cb1d99e66227d1e05925ef937643f5c1089a Mon Sep 17 00:00:00 2001 -From: Jan de Groot <[email protected]> -Date: Thu, 07 Mar 2013 18:48:13 +0000 -Subject: dri/nouveau: fix crash in nouveau_flush - -https://bugs.freedesktop.org/show_bug.cgi?id=61947 - -Note: this is a candidate for the stable branches ---- -diff --git a/src/mesa/drivers/dri/nouveau/nouveau_driver.c b/src/mesa/drivers/dri/nouveau/nouveau_driver.c -index f56b3b2..6c119d5 100644 ---- a/src/mesa/drivers/dri/nouveau/nouveau_driver.c -+++ b/src/mesa/drivers/dri/nouveau/nouveau_driver.c -@@ -69,7 +69,8 @@ nouveau_flush(struct gl_context *ctx) - __DRIdri2LoaderExtension *dri2 = screen->dri2.loader; - __DRIdrawable *drawable = nctx->dri_context->driDrawablePriv; - -- dri2->flushFrontBuffer(drawable, drawable->loaderPrivate); -+ if (drawable && drawable->loaderPrivate) -+ dri2->flushFrontBuffer(drawable, drawable->loaderPrivate); - } - } - --- -cgit v0.9.0.2-2-gbebe -From e062a4187d8ea518a39c913ae7562cf1d8ac3205 Mon Sep 17 00:00:00 2001 -From: Tapani Pälli <[email protected]> -Date: Mon, 28 Jan 2013 06:53:56 +0000 -Subject: intel: Fix regression in intel_create_image_from_name stride handling - -Strangely, the DRIimage interface we have passes the pitch in pixels -instead of bytes, which anholt missed in the change to using bytes for -region pitch. - -Signed-off-by: Tapani Pälli <[email protected]> -Reviewed-by: Eric Anholt <[email protected]> ---- -diff --git a/src/mesa/drivers/dri/intel/intel_screen.c b/src/mesa/drivers/dri/intel/intel_screen.c -index defcd73..d223a0b 100644 ---- a/src/mesa/drivers/dri/intel/intel_screen.c -+++ b/src/mesa/drivers/dri/intel/intel_screen.c -@@ -377,7 +377,7 @@ intel_create_image_from_name(__DRIscreen *screen, - cpp = _mesa_get_format_bytes(image->format); - image->region = intel_region_alloc_for_handle(intelScreen, - cpp, width, height, -- pitch, name, "image"); -+ pitch * cpp, name, "image"); - if (image->region == NULL) { - free(image); - return NULL; --- -cgit v0.9.0.2-2-gbebe
