Hello community, here is the log from the commit of package Mesa for openSUSE:Factory checked in at 2019-11-18 20:02:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/Mesa (Old) and /work/SRC/openSUSE:Factory/.Mesa.new.26869 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Mesa" Mon Nov 18 20:02:56 2019 rev:361 rq:749087 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/Mesa/Mesa-drivers.changes 2019-11-10 22:32:09.908681074 +0100 +++ /work/SRC/openSUSE:Factory/.Mesa.new.26869/Mesa-drivers.changes 2019-11-18 20:02:58.149816473 +0100 @@ -1,0 +2,21 @@ +Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch <sndir...@suse.com> + +- u_call-shmget-with-permission-0600-instead-of-0777.patch + * CVE-2019-5068 (bsc#1156015) + +------------------------------------------------------------------- +Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch <sndir...@suse.com> + +- Update to version 19.2.4 + * This is an emergency release, to fix a critical bug found in + the 19.2.3 release which causes incomplete rendering on all + mesa drivers. This release contains a single patch to fix + that bug. + +------------------------------------------------------------------- +Wed Nov 13 14:01:29 UTC 2019 - Frederic Crozat <fcro...@suse.com> + +- Update _contraints, Mesa-drivers needs 7GB of disk to build + safely. + +------------------------------------------------------------------- Mesa.changes: same change Old: ---- mesa-19.2.3.tar.xz mesa-19.2.3.tar.xz.sig New: ---- mesa-19.2.4.tar.xz mesa-19.2.4.tar.xz.sig u_call-shmget-with-permission-0600-instead-of-0777.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ Mesa-drivers.spec ++++++ --- /var/tmp/diff_new_pack.AEIafW/_old 2019-11-18 20:03:05.621812722 +0100 +++ /var/tmp/diff_new_pack.AEIafW/_new 2019-11-18 20:03:05.629812718 +0100 @@ -42,7 +42,7 @@ %define glamor 1 %define _name_archive mesa -%define _version 19.2.3 +%define _version 19.2.4 %define with_opencl 0 %define with_vulkan 0 %define with_llvm 0 @@ -110,7 +110,7 @@ %endif Name: Mesa-drivers -Version: 19.2.3 +Version: 19.2.4 Release: 0 Summary: System for rendering 3-D graphics License: MIT @@ -126,6 +126,7 @@ Source7: Mesa.keyring Patch1: n_opencl_dep_libclang.patch Patch2: n_add-Mesa-headers-again.patch +Patch3: u_call-shmget-with-permission-0600-instead-of-0777.patch # never to be upstreamed Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch Patch58: u_dep_xcb.patch @@ -733,6 +734,7 @@ %endif %endif %patch2 -p1 +%patch3 -p1 %patch54 -p1 %patch58 -p1 ++++++ Mesa.spec ++++++ --- /var/tmp/diff_new_pack.AEIafW/_old 2019-11-18 20:03:05.681812692 +0100 +++ /var/tmp/diff_new_pack.AEIafW/_new 2019-11-18 20:03:05.689812688 +0100 @@ -41,7 +41,7 @@ %define glamor 1 %define _name_archive mesa -%define _version 19.2.3 +%define _version 19.2.4 %define with_opencl 0 %define with_vulkan 0 %define with_llvm 0 @@ -109,7 +109,7 @@ %endif Name: Mesa -Version: 19.2.3 +Version: 19.2.4 Release: 0 Summary: System for rendering 3-D graphics License: MIT @@ -125,6 +125,7 @@ Source7: Mesa.keyring Patch1: n_opencl_dep_libclang.patch Patch2: n_add-Mesa-headers-again.patch +Patch3: u_call-shmget-with-permission-0600-instead-of-0777.patch # never to be upstreamed Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch Patch58: u_dep_xcb.patch @@ -732,6 +733,7 @@ %endif %endif %patch2 -p1 +%patch3 -p1 %patch54 -p1 %patch58 -p1 ++++++ _constraints ++++++ --- /var/tmp/diff_new_pack.AEIafW/_old 2019-11-18 20:03:05.905812579 +0100 +++ /var/tmp/diff_new_pack.AEIafW/_new 2019-11-18 20:03:05.917812573 +0100 @@ -7,7 +7,7 @@ </conditions> <hardware> <disk> - <size unit="G">6</size> + <size unit="G">7</size> </disk> </hardware> </overwrite> ++++++ mesa-19.2.3.tar.xz -> mesa-19.2.4.tar.xz ++++++ /work/SRC/openSUSE:Factory/Mesa/mesa-19.2.3.tar.xz /work/SRC/openSUSE:Factory/.Mesa.new.26869/mesa-19.2.4.tar.xz differ: char 27, line 1 ++++++ u_call-shmget-with-permission-0600-instead-of-0777.patch ++++++ A security advisory (TALOS-2019-0857/CVE-2019-5068) found that creating shared memory regions with permission mode 0777 could allow any user to access that memory. Several Mesa drivers use shared- memory XImages to implement back buffers for improved performance. This path changes the shmget() calls to use 0600 (user r/w). Tested with legacy Xlib driver and llvmpipe. Cc: <a href="https://lists.freedesktop.org/mailman/listinfo/mesa-dev">mesa-stable at lists.freedesktop.org</a> --- src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++- src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++- src/mesa/drivers/x11/xm_buffer.c | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c index 761f5d1..2e5970b 100644 --- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c +++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c @@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size) { char *addr; - dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777); + /* 0600 = user read+write */ + dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600); if (dri_sw_dt->shmid < 0) return NULL; diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c index c14c9de..edebb48 100644 --- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c +++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c @@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size) shminfo->shmid = -1; shminfo->shmaddr = (char *) -1; - shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777); + /* 0600 = user read+write */ + shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600); if (shminfo->shmid < 0) { return NULL; } diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c index d945d8a..0da08a6 100644 --- a/src/mesa/drivers/x11/xm_buffer.c +++ b/src/mesa/drivers/x11/xm_buffer.c @@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height) return GL_FALSE; } + /* 0600 = user read+write */ b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line - * b->backxrb->ximage->height, IPC_CREAT|0777); + * b->backxrb->ximage->height, IPC_CREAT|0600); if (b->shminfo.shmid < 0) { _mesa_warning(NULL, "shmget failed while allocating back buffer.\n"); XDestroyImage(b->backxrb->ximage); -- 1.8.5.6