mesa: Changes to 'ubuntu-precise'
debian/changelog | 32 +++++++++++++
debian/control | 16 +++---
debian/patches/CVE-2012-5129.patch | 86 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2013-1872.patch | 74 +++++++++++++++++++++++++++++++
debian/patches/CVE-2013-1993.patch | 45 +++++++++++++++++++
debian/patches/series | 3 +
6 files changed, 248 insertions(+), 8 deletions(-)
New commits:
commit 51fbea2e1321f87393a0373d9765f9ac8318cdab
Author: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Date: Tue Dec 17 10:38:56 2013 +0100
Allow lts-saucy and lts-trusty to satisfy some depends too. (LP: #1253041)
diff --git a/debian/changelog b/debian/changelog
index 85a46b1..177cd61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mesa (8.0.4-0ubuntu0.7) precise-proposed; urgency=low
+
+ * Allow lts-saucy and lts-trusty to satisfy some depends too. (LP: #1253041)
+
+ -- Maarten Lankhorst <maarten.lankhorst@ubuntu.com> Tue, 17 Dec 2013 10:36:12 +0100
+
mesa (8.0.4-0ubuntu0.6) precise-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
diff --git a/debian/control b/debian/control
index 88d3821..67849c8 100644
--- a/debian/control
+++ b/debian/control
@@ -253,9 +253,9 @@ Package: libegl1-mesa-dev
Section: libdevel
Architecture: linux-any kfreebsd-any
Depends:
- libegl1-mesa (= ${binary:Version}) | libegl1-mesa-lts-quantal | libegl1-mesa-lts-raring,
- libegl1-mesa-drivers (= ${binary:Version}) | libegl1-mesa-drivers-lts-quantal | libegl1-mesa-drivers-lts-raring,
- libdrm-dev (>= 2.4.19) [!hurd-any] | libdrm-dev-lts-quantal | libdrm-dev-lts-raring | libdrm-dev-renamed,
+ libegl1-mesa (= ${binary:Version}) | libegl1-mesa-lts-quantal | libegl1-mesa-lts-raring | libegl1-mesa-lts-saucy | libegl1-mesa-lts-trusty,
+ libegl1-mesa-drivers (= ${binary:Version}) | libegl1-mesa-drivers-lts-quantal | libegl1-mesa-drivers-lts-raring | libegl1-mesa-drivers-lts-saucy | libegl1-mesa-drivers-lts-trusty,
+ libdrm-dev (>= 2.4.19) [!hurd-any],
x11proto-dri2-dev (>= 2.1),
x11proto-gl-dev (>= 1.4.11),
libx11-dev,
@@ -686,8 +686,8 @@ Package: libgl1-mesa-dev
Section: libdevel
Architecture: any
Depends:
- mesa-common-dev (= ${binary:Version}) | mesa-common-dev-lts-quantal | mesa-common-dev-lts-raring,
- libgl1-mesa-glx (= ${binary:Version}) | libgl1-mesa-glx-lts-quantal | libgl1-mesa-glx-lts-raring,
+ mesa-common-dev (= ${binary:Version}) | mesa-common-dev-lts-quantal | mesa-common-dev-lts-raring | mesa-common-dev-lts-saucy | mesa-common-dev-lts-trusty,
+ libgl1-mesa-glx (= ${binary:Version}) | libgl1-mesa-glx-lts-quantal | libgl1-mesa-glx-lts-raring | libgl1-mesa-glx-lts-saucy | libgl1-mesa-glx-lts-trusty,
libxext-dev,
${misc:Depends},
Conflicts: libgl-dev, libgl1-mesa-dri-dev
@@ -710,7 +710,7 @@ Architecture: any
Replaces: xlibmesa-gl-dev (<< 1:7), xlibosmesa-dev, libgl1-mesa-swx11-dev (<< 6.5.2), libgl1-mesa-dev (<< 7.5~rc4-2)
Depends:
libx11-dev,
- libdrm-dev (>= 2.4.19) | libdrm-dev-lts-quantal | libdrm-dev-lts-raring | libdrm-dev-renamed,
+ libdrm-dev (>= 2.4.19),
${misc:Depends},
Description: Developer documentation for Mesa
This package includes the specifications for the Mesa-specific OpenGL
@@ -739,7 +739,7 @@ Section: libdevel
Architecture: any
Depends:
libosmesa6 (= ${binary:Version}),
- mesa-common-dev (= ${binary:Version}) | mesa-common-dev-lts-quantal | mesa-common-dev-lts-raring | libgl-dev,
+ mesa-common-dev (= ${binary:Version}) | mesa-common-dev-lts-quantal | mesa-common-dev-lts-raring | mesa-common-dev-lts-saucy | mesa-common-dev-lts-trusty | libgl-dev,
${misc:Depends},
Conflicts: xlibosmesa-dev, libosmesa4-dev, libosmesa-dev
Replaces: xlibosmesa-dev, libosmesa-dev, libgl1-mesa-swx11-dev (<< 6.5.2), mesa-common-dev (<< 6.5.2)
@@ -780,7 +780,7 @@ Section: libdevel
Architecture: any
Depends:
libglu1-mesa (= ${binary:Version}),
- libgl1-mesa-dev | libgl1-mesa-dev-lts-quantal | libgl1-mesa-dev-lts-raring | libgl-dev,
+ libgl1-mesa-dev | libgl1-mesa-dev-lts-quantal | libgl1-mesa-dev-lts-raring | libgl1-mesa-dev-lts-saucy | libgl1-mesa-dev-lts-trusty | libgl-dev,
${misc:Depends},
Provides: libglu-dev, xlibmesa-glu-dev
Conflicts: mesag-dev (<< 5.0.0-1), mesa-glide2-dev (<< 5.0.0-1), mesag3+ggi-dev (<< 5.0.0-1), xlibmesa-dev
commit 47b6c8560dbedea97c085b0f6451219856e53acc
Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Tue Jun 18 15:22:44 2013 -0400
import security fixes changes from precise-security
diff --git a/debian/changelog b/debian/changelog
index ca88a32..85a46b1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+mesa (8.0.4-0ubuntu0.6) precise-security; urgency=low
+
+ * SECURITY UPDATE: denial of service and possible code execution via
+ out-of-bands access
+ - debian/patches/CVE-2013-1872.patch: check for out-of-bounds reads in
+ src/mesa/drivers/dri/i965/brw_fs.cpp,
+ src/mesa/drivers/dri/i965/brw_fs.h.
+ - CVE-2013-1872
+ * SECURITY UPDATE: denial of service and possible code execution via
+ integer overflows
+ - debian/patches/CVE-2013-1993.patch: check lengths in
+ src/glx/XF86dri.c.
+ - CVE-2013-1993
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 18 Jun 2013 15:22:44 -0400
+
+mesa (8.0.4-0ubuntu0.5) precise-security; urgency=low
+
+ * SECURITY UPDATE: denial of service or possible code execution via
+ buffer overflow
+ - debian/patches/CVE-2012-5129.patch: add bounds checking in
+ src/mesa/main/uniform_query.cpp.
+ - CVE-2012-5129
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 30 Apr 2013 15:02:56 -0700
+
mesa (8.0.4-0ubuntu0.4) precise-proposed; urgency=low
* Bump libdrm-dev requirement to >= 2.4.34 to force building against new libdrm
diff --git a/debian/patches/CVE-2012-5129.patch b/debian/patches/CVE-2012-5129.patch
new file mode 100644
index 0000000..08339f6
--- /dev/null
+++ b/debian/patches/CVE-2012-5129.patch
@@ -0,0 +1,86 @@
+Backport of:
+
+From 46e3aeb07702f57d389fbfcade9d4ef66218dc53 Mon Sep 17 00:00:00 2001
+From: Frank Henigman <fjhenigman@google.com>
+Date: Fri, 14 Dec 2012 20:52:17 +0000
+Subject: mesa: add bounds checking for uniform array access
+
+No piglit regressions and now passes glsl-uniform-out-of-bounds-2.
+
+validate_uniform_parameters now checks that the array index is
+valid. This means if an index is out of bounds, glGetUniform* now
+fails with GL_INVALID_OPERATION, as it should.
+_mesa_uniform and _mesa_uniform_matrix also call
+validate_uniform_parameters so the bounds checks there became
+redundant and were removed.
+
+The test in glGetUniformLocation is modified to check array bounds
+so it now returns GL_INVALID_INDEX (-1) if you ask for the location
+of a non-existent array element, as it should.
+
+Signed-off-by: Frank Henigman <fjhenigman@google.com>
+Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>
+---
+(limited to 'src/mesa/main/uniform_query.cpp')
+
+Index: mesa-8.0.4/src/mesa/main/uniform_query.cpp
+===================================================================
+--- mesa-8.0.4.orig/src/mesa/main/uniform_query.cpp 2013-04-30 15:01:27.341893214 -0700
++++ mesa-8.0.4/src/mesa/main/uniform_query.cpp 2013-04-30 15:02:24.981894690 -0700
+@@ -164,11 +164,14 @@
+ return false;
+ }
+
+- /* This case should be impossible. The implication is that a call like
+- * glGetUniformLocation(prog, "foo[8]") was successful but "foo" is not an
+- * array.
+- */
+- if (*array_index != 0 && shProg->UniformStorage[*loc].array_elements == 0) {
++ /* If the uniform is an array, check that array_index is in bounds.
++ * If not an array, check that array_index is zero.
++ * array_index is unsigned so no need to check for less than zero.
++ */
++ unsigned limit = shProg->UniformStorage[*loc].array_elements;
++ if (limit == 0)
++ limit = 1;
++ if (*array_index >= limit) {
+ _mesa_error(ctx, GL_INVALID_OPERATION, "%s(location=%d)",
+ caller, location);
+ return false;
+@@ -655,9 +658,6 @@
+ * will have already generated an error.
+ */
+ if (uni->array_elements != 0) {
+- if (offset >= uni->array_elements)
+- return;
+-
+ count = MIN2(count, (int) (uni->array_elements - offset));
+ }
+
+@@ -801,9 +801,6 @@
+ * will have already generated an error.
+ */
+ if (uni->array_elements != 0) {
+- if (offset >= uni->array_elements)
+- return;
+-
+ count = MIN2(count, (int) (uni->array_elements - offset));
+ }
+
+@@ -933,10 +930,13 @@
+ if (!found)
+ return -1;
+
+- /* Since array_elements is 0 for non-arrays, this causes look-ups of 'a[0]'
+- * to (correctly) fail if 'a' is not an array.
++ /* If the uniform is an array, fail if the index is out of bounds.
++ * (A negative index is caught above.) This also fails if the uniform
++ * is not an array, but the user is trying to index it, because
++ * array_elements is zero and offset >= 0.
+ */
+- if (array_lookup && shProg->UniformStorage[location].array_elements == 0) {
++ if (array_lookup
++ && offset >= shProg->UniformStorage[location].array_elements) {
+ return -1;
+ }
+
diff --git a/debian/patches/CVE-2013-1872.patch b/debian/patches/CVE-2013-1872.patch
new file mode 100644
index 0000000..b30a88c
--- /dev/null
+++ b/debian/patches/CVE-2013-1872.patch
@@ -0,0 +1,74 @@
+Description: fix denial of service and possible code execution via
+ out-of-bands access
+Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit/?id=0677ea063cd96adefe87c1fb01ef7c66d905535b
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59429
+
+Index: mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.cpp
+===================================================================
+--- mesa-8.0.4.orig/src/mesa/drivers/dri/i965/brw_fs.cpp 2013-06-18 15:21:02.412474717 -0400
++++ mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.cpp 2013-06-18 15:21:02.408474717 -0400
+@@ -249,6 +249,7 @@
+ import_uniforms_callback,
+ variable_ht);
+ this->params_remap = v->params_remap;
++ this->nr_params_remap = v->nr_params_remap;
+ }
+
+ /* Our support for uniforms is piggy-backed on the struct
+@@ -846,6 +847,7 @@
+ {
+ if (c->dispatch_width == 8) {
+ this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);
++ this->nr_params_remap = c->prog_data.nr_params;
+
+ for (unsigned int i = 0; i < c->prog_data.nr_params; i++)
+ this->params_remap[i] = -1;
+@@ -860,7 +862,14 @@
+ if (inst->src[i].file != UNIFORM)
+ continue;
+
+- assert(constant_nr < (int)c->prog_data.nr_params);
++ /* Section 5.11 of the OpenGL 4.3 spec says:
++ *
++ * "Out-of-bounds reads return undefined values, which include
++ * values from other variables of the active program or zero."
++ */
++ if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
++ constant_nr = 0;
++ }
+
+ /* For now, set this to non-negative. We'll give it the
+ * actual new number in a moment, in order to keep the
+@@ -912,6 +921,10 @@
+ if (inst->src[i].file != UNIFORM)
+ continue;
+
++ /* as above alias to 0 */
++ if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {
++ constant_nr = 0;
++ }
+ assert(this->params_remap[constant_nr] != -1);
+ inst->src[i].reg = this->params_remap[constant_nr];
+ inst->src[i].reg_offset = 0;
+Index: mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.h
+===================================================================
+--- mesa-8.0.4.orig/src/mesa/drivers/dri/i965/brw_fs.h 2013-06-18 15:21:02.412474717 -0400
++++ mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.h 2013-06-18 15:22:04.716474123 -0400
+@@ -423,6 +423,9 @@
+ this->virtual_grf_use = NULL;
+ this->live_intervals_valid = false;
+
++ this->params_remap = NULL;
++ this->nr_params_remap = 0;
++
+ this->kill_emitted = false;
+ this->force_uncompressed_stack = 0;
+ this->force_sechalf_stack = 0;
+@@ -613,6 +616,7 @@
+ * uniform index.
+ */
+ int *params_remap;
++ int nr_params_remap;
+
+ struct hash_table *variable_ht;
+ ir_variable *frag_depth;
diff --git a/debian/patches/CVE-2013-1993.patch b/debian/patches/CVE-2013-1993.patch
new file mode 100644
index 0000000..888406f
--- /dev/null
+++ b/debian/patches/CVE-2013-1993.patch
@@ -0,0 +1,45 @@
+Description: fix denial of service and possible code execution via
+ integer overflows
+Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit?id=2e5a268f18be30df15aed0b44b01a18a37fb5df4
+Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit?id=306f630e676eb901789dd09a0f30d7e7fa941ebe
+
+Index: mesa-9.0.3/src/glx/XF86dri.c
+===================================================================
+--- mesa-9.0.3.orig/src/glx/XF86dri.c 2013-06-18 14:02:56.964519401 -0400
++++ mesa-9.0.3/src/glx/XF86dri.c 2013-06-18 14:04:41.700518402 -0400
+@@ -43,6 +43,7 @@
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include "xf86dristr.h"
++#include <limits.h>
+
+ static XExtensionInfo _xf86dri_info_data;
+ static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
+@@ -201,7 +202,11 @@
+ }
+
+ if (rep.length) {
+- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
++ if (rep.busIdStringLength < INT_MAX)
++ *busIdString = calloc(rep.busIdStringLength + 1, 1);
++ else
++ *busIdString = NULL;
++ if (*busIdString == NULL) {
+ _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
+@@ -300,9 +305,11 @@
+ *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
+
+ if (rep.length) {
+- if (!
+- (*clientDriverName =
+- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
++ if (rep.clientDriverNameLength < INT_MAX)
++ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
++ else
++ *clientDriverName = NULL;
++ if (*clientDriverName == NULL) {
+ _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+ UnlockDisplay(dpy);
+ SyncHandle();
diff --git a/debian/patches/series b/debian/patches/series
index 9fa1a91..8f20c2e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,6 @@
119_reduce_wm_thread_count_on_ivb_gt1.diff
50-CVE-2012-2864.patch
libdrm_nouveau1.diff
+CVE-2012-5129.patch
+CVE-2013-1872.patch
+CVE-2013-1993.patch
Reply to: