- u_mesa-CVE-2023-45913.patch
* NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId()
(CVE-2023-45913, bsc#1222040)
- u_mesa-CVE-2023-45919.patch
* buffer over-read in glXQueryServerString()
(CVE-2023-45919, bsc#1222041)
- u_mesa-CVE-2023-45922.patch
* segmentation violation in __glXGetDrawableAttribute()
(CVE-2023-45922, bsc#1222042)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/Mesa?expand=0&rev=1335
This commit is contained in:
Git OBS Bridge
parent
13c57f25db
commit
2fb7449ee5
13
Mesa.changes
13
Mesa.changes
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 1 11:08:36 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
- u_mesa-CVE-2023-45913.patch
|
||||
* NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId()
|
||||
(CVE-2023-45913, bsc#1222040)
|
||||
- u_mesa-CVE-2023-45919.patch
|
||||
* buffer over-read in glXQueryServerString()
|
||||
(CVE-2023-45919, bsc#1222041)
|
||||
- u_mesa-CVE-2023-45922.patch
|
||||
* segmentation violation in __glXGetDrawableAttribute()
|
||||
(CVE-2023-45922, bsc#1222042)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 23 16:56:40 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
|
||||
|
||||
|
||||
10
Mesa.spec
10
Mesa.spec
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package Mesa
|
||||
# spec file
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
@ -185,6 +185,10 @@ Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch
|
||||
Patch58: u_dep_xcb.patch
|
||||
Patch100: U_fix-mpeg1_2-decode-mesa-20.2.patch
|
||||
Patch400: n_stop-iris-flicker.patch
|
||||
Patch1222040: u_mesa-CVE-2023-45913.patch
|
||||
Patch1222041: u_mesa-CVE-2023-45919.patch
|
||||
Patch1222042: u_mesa-CVE-2023-45922.patch
|
||||
|
||||
%ifarch %{ix86} x86_64
|
||||
BuildRequires: DirectX-Headers >= 1.613.0
|
||||
%endif
|
||||
@ -849,7 +853,9 @@ cp %{SOURCE6} subprojects/packagecache/
|
||||
%patch -P 58 -p1
|
||||
%patch -P 100 -p1
|
||||
%patch -P 400 -p1
|
||||
|
||||
%patch -P 1222040 -p1
|
||||
%patch -P 1222041 -p1
|
||||
%patch -P 1222042 -p1
|
||||
# Remove requires to vulkan libs from baselibs.conf on platforms
|
||||
# where vulkan build is disabled; ugly ...
|
||||
%if 0%{?with_vulkan} == 0
|
||||
|
||||
13
u_mesa-CVE-2023-45913.patch
Normal file
13
u_mesa-CVE-2023-45913.patch
Normal file
@ -0,0 +1,13 @@
|
||||
src/glx/dri2_glx.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
--- a/src/glx/dri2_glx.c
|
||||
+++ b/src/glx/dri2_glx.c
|
||||
@@ -1399,7 +1399,7 @@ dri2GetGlxDrawableFromXDrawableId(Displa
|
||||
struct dri2_display *pdp = (struct dri2_display *) d->dri2Display;
|
||||
__GLXDRIdrawable *pdraw;
|
||||
|
||||
- if (__glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
|
||||
+ if (pdp && __glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
|
||||
return pdraw;
|
||||
|
||||
return NULL;
|
||||
31
u_mesa-CVE-2023-45919.patch
Normal file
31
u_mesa-CVE-2023-45919.patch
Normal file
@ -0,0 +1,31 @@
|
||||
src/glx/glx_query.c | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
--- a/src/glx/glx_query.c
|
||||
+++ b/src/glx/glx_query.c
|
||||
@@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in
|
||||
/* The spec doesn't mention this, but the Xorg server replies with
|
||||
* a string already terminated with '\0'. */
|
||||
uint32_t len = xcb_glx_query_server_string_string_length(reply);
|
||||
+ /* Allow a max of 64kb string length */
|
||||
+ size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
|
||||
+ if (reply_len + 1 != len)
|
||||
+ {
|
||||
+ free(reply);
|
||||
+ return(NULL);
|
||||
+ }
|
||||
char *buf = malloc(len);
|
||||
memcpy(buf, xcb_glx_query_server_string_string(reply), len);
|
||||
free(reply);
|
||||
@@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode
|
||||
/* The spec doesn't mention this, but the Xorg server replies with
|
||||
* a string already terminated with '\0'. */
|
||||
uint32_t len = xcb_glx_get_string_string_length(reply);
|
||||
+ size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
|
||||
+ if (reply_len + 1 != len)
|
||||
+ {
|
||||
+ free(reply);
|
||||
+ return(NULL);
|
||||
+ }
|
||||
char *buf = malloc(len);
|
||||
memcpy(buf, xcb_glx_get_string_string(reply), len);
|
||||
free(reply);
|
||||
15
u_mesa-CVE-2023-45922.patch
Normal file
15
u_mesa-CVE-2023-45922.patch
Normal file
@ -0,0 +1,15 @@
|
||||
src/glx/glx_pbuffer.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
Index: mesa-24.2.3/src/glx/glx_pbuffer.c
|
||||
===================================================================
|
||||
--- mesa-24.2.3.orig/src/glx/glx_pbuffer.c
|
||||
+++ mesa-24.2.3/src/glx/glx_pbuffer.c
|
||||
@@ -329,7 +329,7 @@ __glXGetDrawableAttribute(Display * dpy,
|
||||
/* Search the set of returned attributes for the attribute requested by
|
||||
* the caller.
|
||||
*/
|
||||
- for (i = 0; i < num_attributes; i++) {
|
||||
+ for (i = 0; i < num_attributes && i * 2 + 1 < length; i++) {
|
||||
if (data[i * 2] == attribute) {
|
||||
found = 1;
|
||||
*value = data[(i * 2) + 1];
|
||||
Loading…
Reference in New Issue
Block a user