Bug 10569 - mesa new security issues CVE-2013-1872 and CVE-2013-1993
: mesa new security issues CVE-2013-1872 and CVE-2013-1993
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/552862/
: has_procedure mga2-32-ok mga2-64-ok
: validated_update
:
: 10105
  Show dependency treegraph
 
Reported: 2013-06-19 21:30 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
2 users (show)

See Also:
Source RPM: mesa-8.0.5-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-06-19 21:30:34 CEST
This bug is to handle just the Mesa package for the X.org update for Mageia 2.

The ETA of the rest of the X.org packages is unknown.

Advisory:
========================

Updated mesa packages fix security vulnerabilities:

An out-of-bounds access flaw was found in Mesa. If an application using
Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does
this), an attacker could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application (CVE-2013-1872).

It was found that Mesa did not correctly validate messages from the X
server. A malicious X server could cause an application using Mesa to crash
or, potentially, execute arbitrary code with the privileges of the user
running the application (CVE-2013-1993).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
https://rhn.redhat.com/errata/RHSA-2013-0897.html
========================

Updated packages in core/updates_testing:
========================
mesa-8.0.5-1.1.mga2
libmesagl1-8.0.5-1.1.mga2
libdri-drivers-8.0.5-1.1.mga2
libmesagl1-devel-8.0.5-1.1.mga2
libmesaglu1-8.0.5-1.1.mga2
libmesaglu1-devel-8.0.5-1.1.mga2
libmesaegl1-8.0.5-1.1.mga2
libmesaegl1-devel-8.0.5-1.1.mga2
libglapi0-8.0.5-1.1.mga2
libglapi0-devel-8.0.5-1.1.mga2
libmesaglesv1_1-8.0.5-1.1.mga2
libmesaglesv1_1-devel-8.0.5-1.1.mga2
libmesaglesv2_2-8.0.5-1.1.mga2
libmesaglesv2_2-devel-8.0.5-1.1.mga2
libmesaopenvg1-8.0.5-1.1.mga2
libmesaopenvg1-devel-8.0.5-1.1.mga2
libgbm1-8.0.5-1.1.mga2
libgbm1-devel-8.0.5-1.1.mga2
libwayland-egl1-8.0.5-1.1.mga2
libwayland-egl1-devel-8.0.5-1.1.mga2
mesa-common-devel-8.0.5-1.1.mga2

from mesa-8.0.5-1.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-19 21:39:49 CEST
Mesa is in both core and tainted, fixing the text below the advisory to reflect that.  It is also now actually built for tainted.

Advisory:
========================

Updated mesa packages fix security vulnerabilities:

An out-of-bounds access flaw was found in Mesa. If an application using
Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does
this), an attacker could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application (CVE-2013-1872).

It was found that Mesa did not correctly validate messages from the X
server. A malicious X server could cause an application using Mesa to crash
or, potentially, execute arbitrary code with the privileges of the user
running the application (CVE-2013-1993).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
https://rhn.redhat.com/errata/RHSA-2013-0897.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
mesa-8.0.5-1.1.mga2
libmesagl1-8.0.5-1.1.mga2
libdri-drivers-8.0.5-1.1.mga2
libmesagl1-devel-8.0.5-1.1.mga2
libmesaglu1-8.0.5-1.1.mga2
libmesaglu1-devel-8.0.5-1.1.mga2
libmesaegl1-8.0.5-1.1.mga2
libmesaegl1-devel-8.0.5-1.1.mga2
libglapi0-8.0.5-1.1.mga2
libglapi0-devel-8.0.5-1.1.mga2
libmesaglesv1_1-8.0.5-1.1.mga2
libmesaglesv1_1-devel-8.0.5-1.1.mga2
libmesaglesv2_2-8.0.5-1.1.mga2
libmesaglesv2_2-devel-8.0.5-1.1.mga2
libmesaopenvg1-8.0.5-1.1.mga2
libmesaopenvg1-devel-8.0.5-1.1.mga2
libgbm1-8.0.5-1.1.mga2
libgbm1-devel-8.0.5-1.1.mga2
libwayland-egl1-8.0.5-1.1.mga2
libwayland-egl1-devel-8.0.5-1.1.mga2
mesa-common-devel-8.0.5-1.1.mga2

from mesa-8.0.5-1.1.mga2.src.rpm
Comment 2 claire robinson 2013-06-20 08:23:29 CEST
Mesa can be tested using some of the demos from the mesa-demos package
$ urpmf mesa-demos | grep bin

The Tainted version makes use of S3 texture compression which is patent encumbered in some areas.
Comment 3 claire robinson 2013-06-20 11:01:01 CEST
No PoC's AFAICT
Comment 4 claire robinson 2013-06-20 12:11:38 CEST
Testing complete mga2 32
Comment 5 claire robinson 2013-06-20 12:51:47 CEST
Advisory uploaded
Comment 6 Manuel Hiebel 2013-06-20 20:14:31 CEST
Mga2 64b testing complete
Comment 7 Dave Hodgins 2013-06-21 01:33:17 CEST
Removing the validated_update keyword.

This one requires testing on multiple types of hardware.
Comment 8 Dave Hodgins 2013-06-21 01:47:32 CEST
Testing complete on x86_64 with a radeon hd5450 using the fglrx driver.
Comment 9 Dave Hodgins 2013-06-21 02:42:09 CEST
Testing complete on i586 with a radeon hd5450 using the fglrx driver.
Comment 10 Dave Hodgins 2013-06-24 03:10:48 CEST
Doesn't look like we're going to get more testers updating the bug report.

Re-validating the bug report.

Could someone from the sysadmin team push the update for mesa.

The advisory 10569.adv is ready.
Comment 11 Nicolas Vigier 2013-06-26 20:43:00 CEST
mesa was updated to version 9.1 with X.Org updates for bug #10565, and the advisory also include those 2 CVEs.

Should we just close this bug ?
Comment 12 Nicolas Vigier 2013-06-26 21:02:59 CEST
Ah this one is for mageia 2, and bug #10565 only updates mesa on mageia 3.
Comment 13 claire robinson 2013-06-26 21:04:34 CEST
this one is just mesa srpm, where the mga3 update had a full x.org
Comment 14 Nicolas Vigier 2013-06-26 21:05:22 CEST
http://advisories.mageia.org/MGASA-2013-0190.html

Note You need to log in before you can comment on or make changes to this bug.