--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package libvdpau/0.8-3+deb8u2
- From: luca <luca.boccassi@gmail.com>
- Date: Thu, 29 Oct 2015 19:52:23 +0000
- Message-id: <20151029195223.1020.97487.reportbug@luca-desktop.home>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
We would like to update libvdpau in jessie to address a segmentation fault in a
particular use case.
0.8-3+deb8u1 was uploaded through jessie-security with an upstream fix for 3
security bugs: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 (see
https://bugs.debian.org/797895).
The upstream patch unfortunately introduced a regression when running with
DRI_PRIME=1, as reported by a user in https://bugs.debian.org/802625 and
upstream has committed a fix for it.
We already uploaded a fixed version to unstable, and now we would like to
backport it to jessie as well. The debdiff follows. I have verified that it
fixes the problem on a vanilla jessie amd64 installation.
Thank you!
Kind regards,
Luca Boccassi
diff -Nru libvdpau-0.8/debian/changelog libvdpau-0.8/debian/changelog
--- libvdpau-0.8/debian/changelog 2015-09-05 13:14:50.000000000 +0100
+++ libvdpau-0.8/debian/changelog 2015-10-29 19:30:28.000000000 +0000
@@ -1,3 +1,10 @@
+libvdpau (0.8-3+deb8u2) jessie; urgency=medium
+
+ [Luca Boccassi]
+ * Cherry-pick patch for DRI_PRIME crash. (Closes: #802625)
+
+ -- Luca Boccassi <luca.boccassi@gmail.com> Wed, 28 Oct 2015 22:41:57 +0000
+
libvdpau (0.8-3+deb8u1) jessie-security; urgency=high
* Patch for CVE 2015-5198, 2015-5199, 2015-5200
diff -Nru libvdpau-0.8/debian/gbp.conf libvdpau-0.8/debian/gbp.conf
--- libvdpau-0.8/debian/gbp.conf 2015-09-05 13:13:56.000000000 +0100
+++ libvdpau-0.8/debian/gbp.conf 2015-10-29 19:25:06.000000000 +0000
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = upstream
-debian-branch = master
+debian-branch = jessie
upstream-tag = upstream/%(version)s
debian-tag = debian/%(version)s
pristine-tar = True
diff -Nru libvdpau-0.8/debian/patches/missing-configh-include.patch
libvdpau-0.8/debian/patches/missing-configh-include.patch
--- libvdpau-0.8/debian/patches/missing-configh-include.patch 1970-01-01
01:00:00.000000000 +0100
+++ libvdpau-0.8/debian/patches/missing-configh-include.patch 2015-10-28
23:47:48.000000000 +0000
@@ -0,0 +1,28 @@
+From: Rico Tzschichholz <ricotz@ubuntu.com>
+Date: Tue, 1 Sep 2015 10:45:11 +0200
+Subject: mesa_dri2: Add missing include of config.h to define _GNU_SOURCE
+
+Fix build with -Wimplicit-function-declaration while secure_getenv() is
+guarded by __USE_GNU.
+
+Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
+Tested-by: Stefan Dirsch <sndirsch@suse.de>
+(cherry picked from commit 1cda354bdfd0c9ca107293b84b52f4464fdbedcc)
+---
+ src/mesa_dri2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/mesa_dri2.c b/src/mesa_dri2.c
+index 51e8794..420ccee 100644
+--- a/src/mesa_dri2.c
++++ b/src/mesa_dri2.c
+@@ -33,6 +33,9 @@
+ * and José Hiram Soltren (jsoltren@nvidia.com)
+ */
+
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
+
+ #define NEED_REPLIES
+ #include <X11/Xlibint.h>
diff -Nru libvdpau-0.8/debian/patches/series libvdpau-0.8/debian/patches/series
--- libvdpau-0.8/debian/patches/series 2015-09-05 13:13:56.000000000 +0100
+++ libvdpau-0.8/debian/patches/series 2015-10-29 19:25:06.000000000 +0000
@@ -5,3 +5,4 @@
vdpau-module-searchpath.patch
hardening.patch
0007-Use-secure_getenv-3-to-improve-security.patch
+missing-configh-include.patch
--- End Message ---
--- Begin Message ---
On 2015-10-30 17:41, Luca Boccassi wrote:
>> The diff looks good, could you change the target to jessie-security and upload
>> to security-master?
>
> Committed in git, but I'll have to ask Andreas to upload as I lack the
> supercow powers :-)
Extended the problem description and uploaded, thus closing this pu request.
>> Also, do you plan to prepare an update for wheezy-security as well?
>
> I'll have access to a wheezy guinea pig machine on Monday, so if the
> regression is present there as well I'll test a patched version and
> reply back here.
Not needed, src/mesa_dri2.c in 0.4.1 does not call (secure_)getenv().
Andreas
--- End Message ---