Sync from SUSE:ALP:Source:Standard:1.0 Mesa revision 17179e1da2cb17c3148dcbdf73d8ae42

2024-12-11 11:28:51 +01:00 · 2024-12-11 11:28:51 +01:00 · 0759607bfc
commit 0759607bfc
parent 01b6d2a2ca
5 changed files with 82 additions and 0 deletions
--- a/Mesa.changes
+++ b/Mesa.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Oct  1 13:16:26 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
+
+- u_mesa-CVE-2023-45913.patch
+  * NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId()
+    (CVE-2023-45913, bsc#1222040)
+- u_mesa-CVE-2023-45919.patch
+  * buffer over-read in glXQueryServerString() 
+    (CVE-2023-45919, bsc#1222041)
+- u_mesa-CVE-2023-45922.patch
+  * segmentation violation in __glXGetDrawableAttribute()
+    (CVE-2023-45922, bsc#1222042) 
+
 -------------------------------------------------------------------
 Thu Jan 25 05:19:47 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

--- a/Mesa.spec
+++ b/Mesa.spec
@ -148,6 +148,9 @@ Patch58:        u_dep_xcb.patch
 Patch100:       U_fix-mpeg1_2-decode-mesa-20.2.patch
 Patch200:       u_fix-build-on-ppc64le.patch
 Patch400:       n_stop-iris-flicker.patch
+Patch1222040:   u_mesa-CVE-2023-45913.patch
+Patch1222041:   u_mesa-CVE-2023-45919.patch
+Patch1222042:   u_mesa-CVE-2023-45922.patch
 %ifarch %{ix86} x86_64
 BuildRequires:  DirectX-Headers
 %endif
@ -770,6 +773,9 @@ rm -rf docs/README.{VMS,WIN32,OS2}
 %patch -P 100 -p1
 #%patch -P 200 -p1
 %patch -P 400 -p1
+%patch -P 1222040 -p1
+%patch -P 1222041 -p1
+%patch -P 1222042 -p1

 # Remove requires to vulkan libs from baselibs.conf on platforms
 # where vulkan build is disabled; ugly ...
--- a/u_mesa-CVE-2023-45913.patch
+++ b/u_mesa-CVE-2023-45913.patch
@ -0,0 +1,15 @@
+ src/glx/dri2_glx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: mesa-23.3.4/src/glx/dri2_glx.c
+===================================================================
+--- mesa-23.3.4.orig/src/glx/dri2_glx.c
+++ mesa-23.3.4/src/glx/dri2_glx.c
+@@ -1206,7 +1206,7 @@ dri2GetGlxDrawableFromXDrawableId(Displa
+    struct dri2_display *pdp = (struct dri2_display *) d->dri2Display;
+    __GLXDRIdrawable *pdraw;
+ 
+-   if (__glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
+   if (pdp && __glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
+       return pdraw;
+ 
+    return NULL;
--- a/u_mesa-CVE-2023-45919.patch
+++ b/u_mesa-CVE-2023-45919.patch
@ -0,0 +1,33 @@
+ src/glx/glx_query.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+Index: mesa-23.3.4/src/glx/glx_query.c
+===================================================================
+--- mesa-23.3.4.orig/src/glx/glx_query.c
+++ mesa-23.3.4/src/glx/glx_query.c
+@@ -56,6 +56,13 @@ __glXQueryServerString(Display * dpy, CA
+    /* The spec doesn't mention this, but the Xorg server replies with
+     * a string already terminated with '\0'. */
+    uint32_t len = xcb_glx_query_server_string_string_length(reply);
+   /* Allow a max of 64kb string length */
+   size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
+   if (reply_len + 1 != len)
+   {
+      free(reply);
+      return(NULL);
+   }
+    char *buf = malloc(len);
+    memcpy(buf, xcb_glx_query_server_string_string(reply), len);
+    free(reply);
+@@ -83,6 +90,12 @@ __glXGetString(Display * dpy, CARD32 con
+    /* The spec doesn't mention this, but the Xorg server replies with
+     * a string already terminated with '\0'. */
+    uint32_t len = xcb_glx_get_string_string_length(reply);
+   size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
+   if (reply_len + 1 != len)
+   {
+      free(reply);
+      return(NULL);
+   }
+    char *buf = malloc(len);
+    memcpy(buf, xcb_glx_get_string_string(reply), len);
+    free(reply);
--- a/u_mesa-CVE-2023-45922.patch
+++ b/u_mesa-CVE-2023-45922.patch
@ -0,0 +1,15 @@
+ src/glx/glx_pbuffer.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: mesa-23.3.4/src/glx/glx_pbuffer.c
+===================================================================
+--- mesa-23.3.4.orig/src/glx/glx_pbuffer.c
+++ mesa-23.3.4/src/glx/glx_pbuffer.c
+@@ -329,7 +329,7 @@ __glXGetDrawableAttribute(Display * dpy,
+          /* Search the set of returned attributes for the attribute requested by
+           * the caller.
+           */
+-         for (i = 0; i < num_attributes; i++) {
+         for (i = 0; i < num_attributes && i * 2 + 1 < length; i++) {
+             if (data[i * 2] == attribute) {
+                found = 1;
+                *value = data[(i * 2) + 1];