Bug#949541: buster-pu: package mesa/18.3.6-2+deb10u1

[Moritz Mühlenhoff]

On Sat, Jan 25, 2020 at 07:29:20PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2020-01-21 at 21:09 +0100, Moritz Muehlenhoff wrote:
> > Attached debdiff fixes a minor security issue in mesa. I've been
> > running the updated packaged on a Buster workstation over the last
> > days.
> > 
> 
> Please go ahead.

Thanks, uploaded.

Cheers,
Moritz

Bug#949541: buster-pu: package mesa/18.3.6-2+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2020-01-21 at 21:09 +0100, Moritz Muehlenhoff wrote:
> Attached debdiff fixes a minor security issue in mesa. I've been
> running the updated packaged on a Buster workstation over the last
> days.
> 

Please go ahead.

Regards,

Adam

Bug#949541: buster-pu: package mesa/18.3.6-2+deb10u1

[Moritz Muehlenhoff]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Attached debdiff fixes a minor security issue in mesa. I've been running
the updated packaged on a Buster workstation over the last days.

Cheers,
Moritz

diff -u mesa-18.3.6/debian/changelog mesa-18.3.6/debian/changelog
--- mesa-18.3.6/debian/changelog
+++ mesa-18.3.6/debian/changelog
@@ -1,3 +1,10 @@
+mesa (18.3.6-2+deb10u1) buster; urgency=medium
+
+  * Call shmget() with permission 0600 instead of 0777 (CVE-2019-5068)
+(Closes: #944298)
+
+ -- Moritz Mühlenhoff   Wed, 15 Jan 2020 20:28:42 +0100
+
 mesa (18.3.6-2) unstable; urgency=medium
 
   * Cherry-pick c77acc3ceba (meson: remove meson-created megadrivers
diff -u mesa-18.3.6/debian/patches/series mesa-18.3.6/debian/patches/series
--- mesa-18.3.6/debian/patches/series
+++ mesa-18.3.6/debian/patches/series
@@ -5,0 +6 @@
+CVE-2019-5068.patch
only in patch2:
unchanged:
--- mesa-18.3.6.orig/debian/patches/CVE-2019-5068.patch
+++ mesa-18.3.6/debian/patches/CVE-2019-5068.patch
@@ -0,0 +1,68 @@
+From 02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc Mon Sep 17 00:00:00 2001
+From: Brian Paul 
+Date: Wed, 9 Oct 2019 12:05:16 -0600
+Subject: Call shmget() with permission 0600 instead of 0777
+
+A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
+creating shared memory regions with permission mode 0777 could allow
+any user to access that memory.  Several Mesa drivers use shared-
+memory XImages to implement back buffers for improved performance.
+
+This path changes the shmget() calls to use 0600 (user r/w).
+
+Tested with legacy Xlib driver and llvmpipe.
+
+Cc: mesa-sta...@lists.freedesktop.org
+Reviewed-by: Kristian H. Kristensen 
+---
+ src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
+ src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
+ src/mesa/drivers/x11/xm_buffer.c| 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c 
b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+index cbccf4d01df..6173147a1ff 100644
+--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
 b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned 
size)
+ {
+char *addr;
+ 
+-   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
++   /* 0600 = user read+write */
++   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
+if (dri_sw_dt->shmid < 0)
+   return NULL;
+ 
+diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c 
b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+index be28fae3df2..8e97f0a24af 100644
+--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
 b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
+shminfo->shmid = -1;
+shminfo->shmaddr = (char *) -1;
+ 
+-   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
++   /* 0600 = user read+write */
++   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
+if (shminfo->shmid < 0) {
+   return NULL;
+}
+diff --git a/src/mesa/drivers/x11/xm_buffer.c 
b/src/mesa/drivers/x11/xm_buffer.c
+index d945d8af556..0da08a6e64d 100644
+--- a/src/mesa/drivers/x11/xm_buffer.c
 b/src/mesa/drivers/x11/xm_buffer.c
+@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint 
height)
+   return GL_FALSE;
+}
+ 
++   /* 0600 = user read+write */
+b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
+-   * b->backxrb->ximage->height, IPC_CREAT|0777);
++ * b->backxrb->ximage->height, IPC_CREAT | 0600);
+if (b->shminfo.shmid < 0) {
+   _mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
+   XDestroyImage(b->backxrb->ximage);
+-- 
+cgit v1.2.1
+


Cheers,
Moritz