diff --git a/Mesa.changes b/Mesa.changes index 266acb0..cf07582 100644 --- a/Mesa.changes +++ b/Mesa.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Oct 1 11:08:36 UTC 2024 - Stefan Dirsch + +- u_mesa-CVE-2023-45913.patch + * NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId() + (CVE-2023-45913, bsc#1222040) +- u_mesa-CVE-2023-45919.patch + * buffer over-read in glXQueryServerString() + (CVE-2023-45919, bsc#1222041) +- u_mesa-CVE-2023-45922.patch + * segmentation violation in __glXGetDrawableAttribute() + (CVE-2023-45922, bsc#1222042) + ------------------------------------------------------------------- Mon Sep 23 16:56:40 UTC 2024 - Marcus Rueckert diff --git a/Mesa.spec b/Mesa.spec index 5c9353f..8643e70 100644 --- a/Mesa.spec +++ b/Mesa.spec @@ -1,5 +1,5 @@ # -# spec file for package Mesa +# spec file # # Copyright (c) 2024 SUSE LLC # @@ -185,6 +185,10 @@ Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch Patch58: u_dep_xcb.patch Patch100: U_fix-mpeg1_2-decode-mesa-20.2.patch Patch400: n_stop-iris-flicker.patch +Patch1222040: u_mesa-CVE-2023-45913.patch +Patch1222041: u_mesa-CVE-2023-45919.patch +Patch1222042: u_mesa-CVE-2023-45922.patch + %ifarch %{ix86} x86_64 BuildRequires: DirectX-Headers >= 1.613.0 %endif @@ -849,7 +853,9 @@ cp %{SOURCE6} subprojects/packagecache/ %patch -P 58 -p1 %patch -P 100 -p1 %patch -P 400 -p1 - +%patch -P 1222040 -p1 +%patch -P 1222041 -p1 +%patch -P 1222042 -p1 # Remove requires to vulkan libs from baselibs.conf on platforms # where vulkan build is disabled; ugly ... %if 0%{?with_vulkan} == 0 diff --git a/u_mesa-CVE-2023-45913.patch b/u_mesa-CVE-2023-45913.patch new file mode 100644 index 0000000..d438e0a --- /dev/null +++ b/u_mesa-CVE-2023-45913.patch @@ -0,0 +1,13 @@ + src/glx/dri2_glx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +--- a/src/glx/dri2_glx.c ++++ b/src/glx/dri2_glx.c +@@ -1399,7 +1399,7 @@ dri2GetGlxDrawableFromXDrawableId(Displa + struct dri2_display *pdp = (struct dri2_display *) d->dri2Display; + __GLXDRIdrawable *pdraw; + +- if (__glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0) ++ if (pdp && __glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0) + return pdraw; + + return NULL; diff --git a/u_mesa-CVE-2023-45919.patch b/u_mesa-CVE-2023-45919.patch new file mode 100644 index 0000000..f2a1d77 --- /dev/null +++ b/u_mesa-CVE-2023-45919.patch @@ -0,0 +1,31 @@ + src/glx/glx_query.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) +--- a/src/glx/glx_query.c ++++ b/src/glx/glx_query.c +@@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in + /* The spec doesn't mention this, but the Xorg server replies with + * a string already terminated with '\0'. */ + uint32_t len = xcb_glx_query_server_string_string_length(reply); ++ /* Allow a max of 64kb string length */ ++ size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024); ++ if (reply_len + 1 != len) ++ { ++ free(reply); ++ return(NULL); ++ } + char *buf = malloc(len); + memcpy(buf, xcb_glx_query_server_string_string(reply), len); + free(reply); +@@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode + /* The spec doesn't mention this, but the Xorg server replies with + * a string already terminated with '\0'. */ + uint32_t len = xcb_glx_get_string_string_length(reply); ++ size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024); ++ if (reply_len + 1 != len) ++ { ++ free(reply); ++ return(NULL); ++ } + char *buf = malloc(len); + memcpy(buf, xcb_glx_get_string_string(reply), len); + free(reply); diff --git a/u_mesa-CVE-2023-45922.patch b/u_mesa-CVE-2023-45922.patch new file mode 100644 index 0000000..125be9f --- /dev/null +++ b/u_mesa-CVE-2023-45922.patch @@ -0,0 +1,15 @@ + src/glx/glx_pbuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +Index: mesa-24.2.3/src/glx/glx_pbuffer.c +=================================================================== +--- mesa-24.2.3.orig/src/glx/glx_pbuffer.c ++++ mesa-24.2.3/src/glx/glx_pbuffer.c +@@ -329,7 +329,7 @@ __glXGetDrawableAttribute(Display * dpy, + /* Search the set of returned attributes for the attribute requested by + * the caller. + */ +- for (i = 0; i < num_attributes; i++) { ++ for (i = 0; i < num_attributes && i * 2 + 1 < length; i++) { + if (data[i * 2] == attribute) { + found = 1; + *value = data[(i * 2) + 1];