Bug 7920

I was wondering how much time would pass before someone ask this :-)

Sorry, I did hesitate one day after I saw the release note. Next time I'll be more swift.

How about 9.0.0 (or 9.0.1) in backports?

(In reply to comment #2)

> How about 9.0.0 (or 9.0.1) in backports?

Nope. it wont happend... it is way too much of a core package to be allowed...

But Mga3 will have mesa 9.0+ along with other fun stuff..

Any news on if 8.0.5 will happen? it has quite a few bug fixes.

Many thanks.

CC: (none) => lemonzest

Anybody can do it...

Keywords: (none) => Junior_job

upload in progress

Thanks tv for uploading this. Please assign to qa-bugs when it is ready :-)

Changelog: http://www.mesa3d.org/relnotes-8.0.5.html

CC: (none) => remco

Thanks for the upload :), testing now

I've done a (pseudo) testing with Flightgear, gl-117 and glxgears. I know this is not a real test, just an indication, but those three applications work without problem - with ATI R7770

been testing with OpenArena, Saurbraten, and PrBoom-plus, and Yamagi Quake2 no regressions or slowdowns, using OSS Radeon drivers on a AMD HD6770, also no bugs/regressions in Gnome-shell (tho it seems a little less laggy)

Graphics:  Card: ATI Juniper XT [AMD Radeon HD 6000 Series] X.Org: 1.11.4 driver: radeon Resolution: 2048x1152@59.9hz 
           GLX Renderer: Gallium 0.4 on AMD JUNIPER GLX Version: 2.1 Mesa 8.0.5

We'll hold off on this for now, as there is a security issue that should go out at the same time, but the fix is not validated upstream yet:

http://www.mail-archive.com/mesa-dev@lists.freedesktop.org/msg29015.html

Any news?

when i was still on mga2, i did not have any issues with this, played many opengl games and no issues with gnome-shell

Seems to be stalled at mesa. Got this from mesa-dev mailing list:

>>snip snip>>

On Sat, Dec 15, 2012 at 7:02 AM, Stéphane Marchesin
<stephane.marche...@gmail.com> wrote:
> On Fri, Dec 14, 2012 at 12:52 PM, Frank Henigman <fjhenig...@google.com> 
> wrote:
>> No piglet regressions and now passes glsl-uniform-out-of-bounds-2.
>>
>>
Should this have gone into the stable 9.0 branch?

<<snip snip<<

The patch Thomas linked in Commment 11 is now upstream:
http://cgit.freedesktop.org/mesa/mesa/commit/src/mesa/main/uniform_query.cpp?id=46e3aeb07702f57d389fbfcade9d4ef66218dc53

It made it into the mesa version we have in Cauldron, but not in 8.0.5.

It was also assigned CVE-2012-5129.

Ubuntu has issued an advisory for this today (May 7):
http://www.ubuntu.com/usn/usn-1818-1/

Patched package uploaded for Mageia 2.

Note to QA: since our last update (8.0.4 + a security patch), tv updated this to 8.0.5.  He also forgot to reset the release tag (and remove the subrel), so I had to get it removed from updates_testing.  If you installed packages from mesa-8.0.5-2.1.mga2.src.rpm, you'll need to remove them to test this update.

Advisory:
========================

Updated mesa packages fix security vulnerability:

It was discovered that Mesa incorrectly handled certain arrays. An attacker
could use this issue to cause Mesa to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2012-5129).

Mesa has also been updated to version 8.0.5, fixing several bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5129
http://mesa3d.org/relnotes/8.0.5.html
http://www.ubuntu.com/usn/usn-1818-1/
========================

Updated packages in {core,tainted}/updates_testing:
========================
mesa-8.0.5-1.mga2
libmesagl1-8.0.5-1.mga2
libdri-drivers-8.0.5-1.mga2
libmesagl1-devel-8.0.5-1.mga2
libmesaglu1-8.0.5-1.mga2
libmesaglu1-devel-8.0.5-1.mga2
libmesaegl1-8.0.5-1.mga2
libmesaegl1-devel-8.0.5-1.mga2
libglapi0-8.0.5-1.mga2
libglapi0-devel-8.0.5-1.mga2
libmesaglesv1_1-8.0.5-1.mga2
libmesaglesv1_1-devel-8.0.5-1.mga2
libmesaglesv2_2-8.0.5-1.mga2
libmesaglesv2_2-devel-8.0.5-1.mga2
libmesaopenvg1-8.0.5-1.mga2
libmesaopenvg1-devel-8.0.5-1.mga2
libgbm1-8.0.5-1.mga2
libgbm1-devel-8.0.5-1.mga2
libwayland-egl1-8.0.5-1.mga2
libwayland-egl1-devel-8.0.5-1.mga2
mesa-common-devel-8.0.5-1.mga2

from mesa-8.0.5-1.mga2.src.rpm

URL: http://mesa3d.org => http://lwn.net/Vulnerabilities/549579/
Keywords: Junior_job => (none)
Component: RPM Packages => Security
CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs
QA Contact: (none) => security
Summary: Mesa: Bug fix version 8.0.5 released - please update => mesa new security issue CVE-2012-5129 (plus 8.0.5 update)
Severity: normal => major

No public PoC.

Testing can be done with demos from the mesa-demos package.

Run various commands from 'urpmf mesa-demos | grep bin'

The tainted version of mesa adds support for S3 texture compression, which can be tested with 'glxinfo | grep s3tc'.

Whiteboard: (none) => has_procedure

Again, there are two separate srpms

mesa-8.0.5-1.mga2.src.rpm 
mesa-8.0.5-1.mga2.tainted.src.rpm

Source RPM: mesa-8.0.4-2.1.mga2.src.rpm mesa-8.0.4-2.1.mga2.tainted.src.rpm => mesa-8.0.5-1.mga2.src.rpm mesa-8.0.5-1.mga2.tainted.src.rpm

Testing complete mga2 32 & 64

Various mesa-demos commands plus flightgear & asteroids3D on core and tainted versions

Validating

Advisory:
========================

Updated mesa packages fix security vulnerability:

It was discovered that Mesa incorrectly handled certain arrays. An attacker
could use this issue to cause Mesa to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2012-5129).

Mesa has also been updated to version 8.0.5, fixing several bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5129
http://mesa3d.org/relnotes/8.0.5.html
http://www.ubuntu.com/usn/usn-1818-1/
========================

SRPMs:
mesa-8.0.5-1.mga2.src.rpm 
mesa-8.0.5-1.mga2.tainted.src.rpm

Could sysadmin please push from core & tainted updates testing to core & tainted updates.

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure mga2-32-ok mga2-64-OK
CC: (none) => sysadmin-bugs

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0143

Status: NEW => RESOLVED
Resolution: (none) => FIXED