Bug 10569 - mesa new security issues CVE-2013-1872 and CVE-2013-1993
Summary: mesa new security issues CVE-2013-1872 and CVE-2013-1993
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/552862/
Whiteboard: has_procedure mga2-32-ok mga2-64-ok
Keywords: validated_update
Depends on:
Blocks: 10105
  Show dependency treegraph
 
Reported: 2013-06-19 21:30 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
2 users (show)

See Also:
Source RPM: mesa-8.0.5-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-19 21:30:34 CEST
This bug is to handle just the Mesa package for the X.org update for Mageia 2.

The ETA of the rest of the X.org packages is unknown.

Advisory:
========================

Updated mesa packages fix security vulnerabilities:

An out-of-bounds access flaw was found in Mesa. If an application using
Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does
this), an attacker could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application (CVE-2013-1872).

It was found that Mesa did not correctly validate messages from the X
server. A malicious X server could cause an application using Mesa to crash
or, potentially, execute arbitrary code with the privileges of the user
running the application (CVE-2013-1993).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
https://rhn.redhat.com/errata/RHSA-2013-0897.html
========================

Updated packages in core/updates_testing:
========================
mesa-8.0.5-1.1.mga2
libmesagl1-8.0.5-1.1.mga2
libdri-drivers-8.0.5-1.1.mga2
libmesagl1-devel-8.0.5-1.1.mga2
libmesaglu1-8.0.5-1.1.mga2
libmesaglu1-devel-8.0.5-1.1.mga2
libmesaegl1-8.0.5-1.1.mga2
libmesaegl1-devel-8.0.5-1.1.mga2
libglapi0-8.0.5-1.1.mga2
libglapi0-devel-8.0.5-1.1.mga2
libmesaglesv1_1-8.0.5-1.1.mga2
libmesaglesv1_1-devel-8.0.5-1.1.mga2
libmesaglesv2_2-8.0.5-1.1.mga2
libmesaglesv2_2-devel-8.0.5-1.1.mga2
libmesaopenvg1-8.0.5-1.1.mga2
libmesaopenvg1-devel-8.0.5-1.1.mga2
libgbm1-8.0.5-1.1.mga2
libgbm1-devel-8.0.5-1.1.mga2
libwayland-egl1-8.0.5-1.1.mga2
libwayland-egl1-devel-8.0.5-1.1.mga2
mesa-common-devel-8.0.5-1.1.mga2

from mesa-8.0.5-1.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-19 21:31:11 CEST

Blocks: (none) => 10105

Comment 1 David Walser 2013-06-19 21:39:49 CEST
Mesa is in both core and tainted, fixing the text below the advisory to reflect that.  It is also now actually built for tainted.

Advisory:
========================

Updated mesa packages fix security vulnerabilities:

An out-of-bounds access flaw was found in Mesa. If an application using
Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does
this), an attacker could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application (CVE-2013-1872).

It was found that Mesa did not correctly validate messages from the X
server. A malicious X server could cause an application using Mesa to crash
or, potentially, execute arbitrary code with the privileges of the user
running the application (CVE-2013-1993).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
https://rhn.redhat.com/errata/RHSA-2013-0897.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
mesa-8.0.5-1.1.mga2
libmesagl1-8.0.5-1.1.mga2
libdri-drivers-8.0.5-1.1.mga2
libmesagl1-devel-8.0.5-1.1.mga2
libmesaglu1-8.0.5-1.1.mga2
libmesaglu1-devel-8.0.5-1.1.mga2
libmesaegl1-8.0.5-1.1.mga2
libmesaegl1-devel-8.0.5-1.1.mga2
libglapi0-8.0.5-1.1.mga2
libglapi0-devel-8.0.5-1.1.mga2
libmesaglesv1_1-8.0.5-1.1.mga2
libmesaglesv1_1-devel-8.0.5-1.1.mga2
libmesaglesv2_2-8.0.5-1.1.mga2
libmesaglesv2_2-devel-8.0.5-1.1.mga2
libmesaopenvg1-8.0.5-1.1.mga2
libmesaopenvg1-devel-8.0.5-1.1.mga2
libgbm1-8.0.5-1.1.mga2
libgbm1-devel-8.0.5-1.1.mga2
libwayland-egl1-8.0.5-1.1.mga2
libwayland-egl1-devel-8.0.5-1.1.mga2
mesa-common-devel-8.0.5-1.1.mga2

from mesa-8.0.5-1.1.mga2.src.rpm
Comment 2 claire robinson 2013-06-20 08:23:29 CEST
Mesa can be tested using some of the demos from the mesa-demos package
$ urpmf mesa-demos | grep bin

The Tainted version makes use of S3 texture compression which is patent encumbered in some areas.

Whiteboard: (none) => has_procedure

Comment 3 claire robinson 2013-06-20 11:01:01 CEST
No PoC's AFAICT
Comment 4 claire robinson 2013-06-20 12:11:38 CEST
Testing complete mga2 32

Whiteboard: has_procedure => has_procedure mga2-32-ok

Comment 5 claire robinson 2013-06-20 12:51:47 CEST
Advisory uploaded
Comment 6 Manuel Hiebel 2013-06-20 20:14:31 CEST
Mga2 64b testing complete

Keywords: (none) => validated_update
Hardware: i586 => All
Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Dave Hodgins 2013-06-21 01:33:17 CEST
Removing the validated_update keyword.

This one requires testing on multiple types of hardware.

Keywords: validated_update => (none)
CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2013-06-21 01:47:32 CEST
Testing complete on x86_64 with a radeon hd5450 using the fglrx driver.
Comment 9 Dave Hodgins 2013-06-21 02:42:09 CEST
Testing complete on i586 with a radeon hd5450 using the fglrx driver.
Comment 10 Dave Hodgins 2013-06-24 03:10:48 CEST
Doesn't look like we're going to get more testers updating the bug report.

Re-validating the bug report.

Could someone from the sysadmin team push the update for mesa.

The advisory 10569.adv is ready.

Keywords: (none) => validated_update

Comment 11 Nicolas Vigier 2013-06-26 20:43:00 CEST
mesa was updated to version 9.1 with X.Org updates for bug #10565, and the advisory also include those 2 CVEs.

Should we just close this bug ?

CC: (none) => boklm

Comment 12 Nicolas Vigier 2013-06-26 21:02:59 CEST
Ah this one is for mageia 2, and bug #10565 only updates mesa on mageia 3.
Comment 13 claire robinson 2013-06-26 21:04:34 CEST
this one is just mesa srpm, where the mga3 update had a full x.org
Comment 14 Nicolas Vigier 2013-06-26 21:05:22 CEST
http://advisories.mageia.org/MGASA-2013-0190.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:07:09 CEST

CC: boklm => (none)


Note You need to log in before you can comment on or make changes to this bug.