[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#949541: marked as done (buster-pu: package mesa/18.3.6-2+deb10u1)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #949541,
regarding buster-pu: package mesa/18.3.6-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
949541: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949541
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Attached debdiff fixes a minor security issue in mesa. I've been running
the updated packaged on a Buster workstation over the last days.

Cheers,
        Moritz

diff -u mesa-18.3.6/debian/changelog mesa-18.3.6/debian/changelog
--- mesa-18.3.6/debian/changelog
+++ mesa-18.3.6/debian/changelog
@@ -1,3 +1,10 @@
+mesa (18.3.6-2+deb10u1) buster; urgency=medium
+
+  * Call shmget() with permission 0600 instead of 0777 (CVE-2019-5068)
+    (Closes: #944298)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 15 Jan 2020 20:28:42 +0100
+
 mesa (18.3.6-2) unstable; urgency=medium
 
   * Cherry-pick c77acc3ceba (meson: remove meson-created megadrivers
diff -u mesa-18.3.6/debian/patches/series mesa-18.3.6/debian/patches/series
--- mesa-18.3.6/debian/patches/series
+++ mesa-18.3.6/debian/patches/series
@@ -5,0 +6 @@
+CVE-2019-5068.patch
only in patch2:
unchanged:
--- mesa-18.3.6.orig/debian/patches/CVE-2019-5068.patch
+++ mesa-18.3.6/debian/patches/CVE-2019-5068.patch
@@ -0,0 +1,68 @@
+From 02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc Mon Sep 17 00:00:00 2001
+From: Brian Paul <brianp@vmware.com>
+Date: Wed, 9 Oct 2019 12:05:16 -0600
+Subject: Call shmget() with permission 0600 instead of 0777
+
+A security advisory (TALOS-2019-0857/CVE-2019-5068) found that
+creating shared memory regions with permission mode 0777 could allow
+any user to access that memory.  Several Mesa drivers use shared-
+memory XImages to implement back buffers for improved performance.
+
+This path changes the shmget() calls to use 0600 (user r/w).
+
+Tested with legacy Xlib driver and llvmpipe.
+
+Cc: mesa-stable@lists.freedesktop.org
+Reviewed-by: Kristian H. Kristensen <hoegsberg@google.com>
+---
+ src/gallium/winsys/sw/dri/dri_sw_winsys.c   | 3 ++-
+ src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++-
+ src/mesa/drivers/x11/xm_buffer.c            | 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+index cbccf4d01df..6173147a1ff 100644
+--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c
++++ b/src/gallium/winsys/sw/dri/dri_sw_winsys.c
+@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size)
+ {
+    char *addr;
+ 
+-   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
++   /* 0600 = user read+write */
++   dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
+    if (dri_sw_dt->shmid < 0)
+       return NULL;
+ 
+diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+index be28fae3df2..8e97f0a24af 100644
+--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
++++ b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c
+@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size)
+    shminfo->shmid = -1;
+    shminfo->shmaddr = (char *) -1;
+ 
+-   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777);
++   /* 0600 = user read+write */
++   shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600);
+    if (shminfo->shmid < 0) {
+       return NULL;
+    }
+diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c
+index d945d8af556..0da08a6e64d 100644
+--- a/src/mesa/drivers/x11/xm_buffer.c
++++ b/src/mesa/drivers/x11/xm_buffer.c
+@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height)
+       return GL_FALSE;
+    }
+ 
++   /* 0600 = user read+write */
+    b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line
+-			     * b->backxrb->ximage->height, IPC_CREAT|0777);
++                             * b->backxrb->ximage->height, IPC_CREAT | 0600);
+    if (b->shminfo.shmid < 0) {
+       _mesa_warning(NULL, "shmget failed while allocating back buffer.\n");
+       XDestroyImage(b->backxrb->ximage);
+-- 
+cgit v1.2.1
+


Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: