Hello community,
here is the log from the commit of package Mesa.1592 for openSUSE:12.3:Update
checked in at 2013-06-06 13:52:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/Mesa.1592 (Old)
and /work/SRC/openSUSE:12.3:Update/.Mesa.1592.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Mesa.1592"
Changes:
--------
--- /work/SRC/openSUSE:12.3:Update/Mesa.1592/Mesa.changes 2013-04-23
15:35:21.000000000 +0200
+++ /work/SRC/openSUSE:12.3:Update/.Mesa.1592.new/Mesa.changes 2013-06-06
13:52:17.000000000 +0200
@@ -1,0 +2,9 @@
+Tue May 28 13:52:21 UTC 2013 - sndir...@suse.com
+
+- u_0001_integer_overflow_in_XF86DRIOpenConnection_CVE-2013-1993.patch,
+ u_0002_integer_overflow_in_XF86DRIGetClientDriverName_CVE-2013-1993.patch
+ * fixes integer overflow in XF86DRIOpenConnection()/
+ XF86DRIGetClientDriverName() [CVE-2013-1993] (bnc#821855,
+ bnc#815451)
+
+-------------------------------------------------------------------
New:
----
u_0001_integer_overflow_in_XF86DRIOpenConnection_CVE-2013-1993.patch
u_0002_integer_overflow_in_XF86DRIGetClientDriverName_CVE-2013-1993.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ Mesa.spec ++++++
--- /var/tmp/diff_new_pack.wrYo8H/_old 2013-06-06 13:52:17.000000000 +0200
+++ /var/tmp/diff_new_pack.wrYo8H/_new 2013-06-06 13:52:17.000000000 +0200
@@ -96,6 +96,8 @@
Patch16: u_mesa-8.0-llvmpipe-shmget.patch
# PATCH-FIX-UPSTREAM mesa-i965-render-between-hiz-flushes.patch fdo#62141
bnc#814947 dims...@opensuse.org -- i965: Make sure we do render between two hiz
flushes
Patch17: mesa-i965-render-between-hiz-flushes.patch
+Patch18:
u_0001_integer_overflow_in_XF86DRIOpenConnection_CVE-2013-1993.patch
+Patch19:
u_0002_integer_overflow_in_XF86DRIGetClientDriverName_CVE-2013-1993.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -483,6 +485,8 @@
%patch13 -p1
%patch14 -p1
%patch17 -p1
+%patch18 -p1
+%patch19 -p1
%build
++++++ u_0001_integer_overflow_in_XF86DRIOpenConnection_CVE-2013-1993.patch
++++++
[Mesa-dev] [PATCH:mesa 1/2] integer overflow in XF86DRIOpenConnection()
[CVE-2013-1993 1/2]
Alan Coopersmith alan.coopersmith at oracle.com
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
src/glx/XF86dri.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Index: mesa-8.0.4/src/glx/XF86dri.c
===================================================================
--- mesa-8.0.4.orig/src/glx/XF86dri.c
+++ mesa-8.0.4/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int
}
if (rep.length) {
- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = calloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
++++++
u_0002_integer_overflow_in_XF86DRIGetClientDriverName_CVE-2013-1993.patch ++++++
[Mesa-dev] [PATCH:mesa 2/2] integer overflow in XF86DRIGetClientDriverName()
[CVE-2013-1993 2/2]
Alan Coopersmith alan.coopersmith at oracle.com
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
src/glx/XF86dri.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Index: mesa-8.0.4/src/glx/XF86dri.c
===================================================================
--- mesa-8.0.4.orig/src/glx/XF86dri.c
+++ mesa-8.0.4/src/glx/XF86dri.c
@@ -300,9 +300,11 @@ XF86DRIGetClientDriverName(Display * dpy
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
