pool/Mesa
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- u_mesa-CVE-2023-45913.patch

Browse Source 
* NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId()
    (CVE-2023-45913, bsc#1222040)
- u_mesa-CVE-2023-45919.patch
  * buffer over-read in glXQueryServerString() 
    (CVE-2023-45919, bsc#1222041)
- u_mesa-CVE-2023-45922.patch
  * segmentation violation in __glXGetDrawableAttribute()
    (CVE-2023-45922, bsc#1222042)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/Mesa?expand=0&rev=1335
This commit is contained in:
Stefan Dirsch 2024-10-01 12:22:57 +00:00 committed by Git OBS Bridge
parent 13c57f25db
commit 2fb7449ee5
5 changed files with 80 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Mesa.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Tue Oct 1 11:08:36 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
- u_mesa-CVE-2023-45913.patch
* NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId()
(CVE-2023-45913, bsc#1222040)
- u_mesa-CVE-2023-45919.patch
* buffer over-read in glXQueryServerString()
(CVE-2023-45919, bsc#1222041)
- u_mesa-CVE-2023-45922.patch
* segmentation violation in __glXGetDrawableAttribute()
(CVE-2023-45922, bsc#1222042)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Sep 23 16:56:40 UTC 2024 - Marcus Rueckert <mrueckert@suse.de> Mon Sep 23 16:56:40 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>

10
Mesa.spec
View File

@ -1,5 +1,5 @@
# #
# spec file for package Mesa # spec file
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
@ -185,6 +185,10 @@ Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch
Patch58: u_dep_xcb.patch Patch58: u_dep_xcb.patch
Patch100: U_fix-mpeg1_2-decode-mesa-20.2.patch Patch100: U_fix-mpeg1_2-decode-mesa-20.2.patch
Patch400: n_stop-iris-flicker.patch Patch400: n_stop-iris-flicker.patch
Patch1222040: u_mesa-CVE-2023-45913.patch
Patch1222041: u_mesa-CVE-2023-45919.patch
Patch1222042: u_mesa-CVE-2023-45922.patch
%ifarch %{ix86} x86_64 %ifarch %{ix86} x86_64
BuildRequires: DirectX-Headers >= 1.613.0 BuildRequires: DirectX-Headers >= 1.613.0
%endif %endif
@ -849,7 +853,9 @@ cp %{SOURCE6} subprojects/packagecache/
%patch -P 58 -p1 %patch -P 58 -p1
%patch -P 100 -p1 %patch -P 100 -p1
%patch -P 400 -p1 %patch -P 400 -p1
%patch -P 1222040 -p1
%patch -P 1222041 -p1
%patch -P 1222042 -p1
# Remove requires to vulkan libs from baselibs.conf on platforms # Remove requires to vulkan libs from baselibs.conf on platforms
# where vulkan build is disabled; ugly ... # where vulkan build is disabled; ugly ...
%if 0%{?with_vulkan} == 0 %if 0%{?with_vulkan} == 0

13
u_mesa-CVE-2023-45913.patch Normal file
View File

@ -0,0 +1,13 @@
src/glx/dri2_glx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/glx/dri2_glx.c
+++ b/src/glx/dri2_glx.c
@@ -1399,7 +1399,7 @@ dri2GetGlxDrawableFromXDrawableId(Displa
struct dri2_display *pdp = (struct dri2_display *) d->dri2Display;
__GLXDRIdrawable *pdraw;
- if (__glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
+ if (pdp && __glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
return pdraw;
return NULL;

31
u_mesa-CVE-2023-45919.patch Normal file
View File

@ -0,0 +1,31 @@
src/glx/glx_query.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/src/glx/glx_query.c
+++ b/src/glx/glx_query.c
@@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in
/* The spec doesn't mention this, but the Xorg server replies with
* a string already terminated with '\0'. */
uint32_t len = xcb_glx_query_server_string_string_length(reply);
+ /* Allow a max of 64kb string length */
+ size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
+ if (reply_len + 1 != len)
+ {
+ free(reply);
+ return(NULL);
+ }
char *buf = malloc(len);
memcpy(buf, xcb_glx_query_server_string_string(reply), len);
free(reply);
@@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode
/* The spec doesn't mention this, but the Xorg server replies with
* a string already terminated with '\0'. */
uint32_t len = xcb_glx_get_string_string_length(reply);
+ size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
+ if (reply_len + 1 != len)
+ {
+ free(reply);
+ return(NULL);
+ }
char *buf = malloc(len);
memcpy(buf, xcb_glx_get_string_string(reply), len);
free(reply);

15
u_mesa-CVE-2023-45922.patch Normal file
View File

@ -0,0 +1,15 @@
src/glx/glx_pbuffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: mesa-24.2.3/src/glx/glx_pbuffer.c
===================================================================
--- mesa-24.2.3.orig/src/glx/glx_pbuffer.c
+++ mesa-24.2.3/src/glx/glx_pbuffer.c
@@ -329,7 +329,7 @@ __glXGetDrawableAttribute(Display * dpy,
/* Search the set of returned attributes for the attribute requested by
* the caller.
*/
- for (i = 0; i < num_attributes; i++) {
+ for (i = 0; i < num_attributes && i * 2 + 1 < length; i++) {
if (data[i * 2] == attribute) {
found = 1;
*value = data[(i * 2) + 1];