diff --git a/Mesa-drivers.changes b/Mesa-drivers.changes index 01df779..53eb8fb 100644 --- a/Mesa-drivers.changes +++ b/Mesa-drivers.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch + +- u_call-shmget-with-permission-0600-instead-of-0777.patch + * CVE-2019-5068 (bsc#1156015) + +------------------------------------------------------------------- +Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch + +- Update to version 19.2.4 + * This is an emergency release, to fix a critical bug found in + the 19.2.3 release which causes incomplete rendering on all + mesa drivers. This release contains a single patch to fix + that bug. + +------------------------------------------------------------------- +Wed Nov 13 14:01:29 UTC 2019 - Frederic Crozat + +- Update _contraints, Mesa-drivers needs 7GB of disk to build + safely. + ------------------------------------------------------------------- Thu Nov 7 11:20:41 UTC 2019 - Stefan Dirsch diff --git a/Mesa-drivers.spec b/Mesa-drivers.spec index f536a76..8f8640f 100644 --- a/Mesa-drivers.spec +++ b/Mesa-drivers.spec @@ -42,7 +42,7 @@ %define glamor 1 %define _name_archive mesa -%define _version 19.2.3 +%define _version 19.2.4 %define with_opencl 0 %define with_vulkan 0 %define with_llvm 0 @@ -110,7 +110,7 @@ %endif Name: Mesa-drivers -Version: 19.2.3 +Version: 19.2.4 Release: 0 Summary: System for rendering 3-D graphics License: MIT @@ -126,6 +126,7 @@ Source6: %{name}-rpmlintrc Source7: Mesa.keyring Patch1: n_opencl_dep_libclang.patch Patch2: n_add-Mesa-headers-again.patch +Patch3: u_call-shmget-with-permission-0600-instead-of-0777.patch # never to be upstreamed Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch Patch58: u_dep_xcb.patch @@ -733,6 +734,7 @@ rm -rf docs/README.{VMS,WIN32,OS2} %endif %endif %patch2 -p1 +%patch3 -p1 %patch54 -p1 %patch58 -p1 diff --git a/Mesa.changes b/Mesa.changes index 01df779..53eb8fb 100644 --- a/Mesa.changes +++ b/Mesa.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Thu Nov 14 14:36:08 UTC 2019 - Stefan Dirsch + +- u_call-shmget-with-permission-0600-instead-of-0777.patch + * CVE-2019-5068 (bsc#1156015) + +------------------------------------------------------------------- +Thu Nov 14 10:15:13 UTC 2019 - Stefan Dirsch + +- Update to version 19.2.4 + * This is an emergency release, to fix a critical bug found in + the 19.2.3 release which causes incomplete rendering on all + mesa drivers. This release contains a single patch to fix + that bug. + +------------------------------------------------------------------- +Wed Nov 13 14:01:29 UTC 2019 - Frederic Crozat + +- Update _contraints, Mesa-drivers needs 7GB of disk to build + safely. + ------------------------------------------------------------------- Thu Nov 7 11:20:41 UTC 2019 - Stefan Dirsch diff --git a/Mesa.spec b/Mesa.spec index 73746b1..39a3b3b 100644 --- a/Mesa.spec +++ b/Mesa.spec @@ -41,7 +41,7 @@ %define glamor 1 %define _name_archive mesa -%define _version 19.2.3 +%define _version 19.2.4 %define with_opencl 0 %define with_vulkan 0 %define with_llvm 0 @@ -109,7 +109,7 @@ %endif Name: Mesa -Version: 19.2.3 +Version: 19.2.4 Release: 0 Summary: System for rendering 3-D graphics License: MIT @@ -125,6 +125,7 @@ Source6: %{name}-rpmlintrc Source7: Mesa.keyring Patch1: n_opencl_dep_libclang.patch Patch2: n_add-Mesa-headers-again.patch +Patch3: u_call-shmget-with-permission-0600-instead-of-0777.patch # never to be upstreamed Patch54: n_drirc-disable-rgb10-for-chromium-on-amd.patch Patch58: u_dep_xcb.patch @@ -732,6 +733,7 @@ rm -rf docs/README.{VMS,WIN32,OS2} %endif %endif %patch2 -p1 +%patch3 -p1 %patch54 -p1 %patch58 -p1 diff --git a/_constraints b/_constraints index 5f95421..13d1758 100644 --- a/_constraints +++ b/_constraints @@ -7,7 +7,7 @@ - 6 + 7 diff --git a/mesa-19.2.3.tar.xz b/mesa-19.2.3.tar.xz deleted file mode 100644 index 967f91c..0000000 --- a/mesa-19.2.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5ee6e42504fe41dcc9a6eba26982656a675b2550a640946f463927ed7f1c5047 -size 11457544 diff --git a/mesa-19.2.3.tar.xz.sig b/mesa-19.2.3.tar.xz.sig deleted file mode 100644 index 3c8c569..0000000 Binary files a/mesa-19.2.3.tar.xz.sig and /dev/null differ diff --git a/mesa-19.2.4.tar.xz b/mesa-19.2.4.tar.xz new file mode 100644 index 0000000..add1895 --- /dev/null +++ b/mesa-19.2.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09000a0f7dbbd82e193b81a8f1bf0c118eab7ca975c0329181968596e548e30f +size 11458340 diff --git a/mesa-19.2.4.tar.xz.sig b/mesa-19.2.4.tar.xz.sig new file mode 100644 index 0000000..8737d88 Binary files /dev/null and b/mesa-19.2.4.tar.xz.sig differ diff --git a/u_call-shmget-with-permission-0600-instead-of-0777.patch b/u_call-shmget-with-permission-0600-instead-of-0777.patch new file mode 100644 index 0000000..abd141a --- /dev/null +++ b/u_call-shmget-with-permission-0600-instead-of-0777.patch @@ -0,0 +1,61 @@ +A security advisory (TALOS-2019-0857/CVE-2019-5068) found that +creating shared memory regions with permission mode 0777 could allow +any user to access that memory. Several Mesa drivers use shared- +memory XImages to implement back buffers for improved performance. + +This path changes the shmget() calls to use 0600 (user r/w). + +Tested with legacy Xlib driver and llvmpipe. + +Cc: mesa-stable at lists.freedesktop.org +--- + src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++- + src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++- + src/mesa/drivers/x11/xm_buffer.c | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c +index 761f5d1..2e5970b 100644 +--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c ++++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c +@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size) + { + char *addr; + +- dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777); ++ /* 0600 = user read+write */ ++ dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600); + if (dri_sw_dt->shmid < 0) + return NULL; + +diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c +index c14c9de..edebb48 100644 +--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c ++++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c +@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size) + shminfo->shmid = -1; + shminfo->shmaddr = (char *) -1; + +- shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777); ++ /* 0600 = user read+write */ ++ shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0600); + if (shminfo->shmid < 0) { + return NULL; + } +diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c +index d945d8a..0da08a6 100644 +--- a/src/mesa/drivers/x11/xm_buffer.c ++++ b/src/mesa/drivers/x11/xm_buffer.c +@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height) + return GL_FALSE; + } + ++ /* 0600 = user read+write */ + b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line +- * b->backxrb->ximage->height, IPC_CREAT|0777); ++ * b->backxrb->ximage->height, IPC_CREAT|0600); + if (b->shminfo.shmid < 0) { + _mesa_warning(NULL, "shmget failed while allocating back buffer.\n"); + XDestroyImage(b->backxrb->ximage); +-- +1.8.5.6