Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445916 (CVE-2012-5129) - <media-libs/mesa-{9.0.3,9.1}: Heap-buffer overflow in glGetUniform* (CVE-2012-5129)
Summary: <media-libs/mesa-{9.0.3,9.1}: Heap-buffer overflow in glGetUniform* (CVE-2012...
Status: RESOLVED FIXED
Alias: CVE-2012-5129
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-04 12:28 UTC by Agostino Sarubbo
Modified: 2014-04-08 09:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-04 12:28:59 UTC
From $URL :

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5129 to the following 
vulnerability:

Heap-based buffer overflow in the WebGL subsystem in Google Chrome OS before 23.0.1271.94 allows 
remote attackers to cause a denial of service (GPU process crash) or possibly have unspecified 
other impact via unknown vectors.

External References:

http://googlechromereleases.blogspot.com/2012/11/stable-update-for-chrome-os_30.html
https://code.google.com/p/chromium/issues/detail?id=145525

Proposed patch:
http://www.mail-archive.com/mesa-dev@lists.freedesktop.org/msg29015.html
Comment 1 Chris Reffett gentoo-dev Security 2013-07-08 23:20:21 UTC
Fixed since 9.0.3/9.1. Do we want to stable 9.0.3, or just cleanup?
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-07-08 23:42:07 UTC
mesa-9.0.3 is affected by CVE-2013-1993, so there is little point in stabilizing that.
If/when upstream releases 9.0.4 with that fixed we will consider for stabilization.
Comment 3 Chris Reffett gentoo-dev Security 2013-09-11 15:07:13 UTC
Well, we still have vulnerable stuff in tree. I don't suppose we can remove 9.0.*?
Comment 4 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-09-15 15:59:20 UTC
CVE-2013-1993 is fixed in upstream's 9.0 branch, but no release was made from that branch since then. As some users still depend on old mesa, p.masking affected versions is probably better.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-30 07:12:47 UTC
Vulnerable versions no longer in tree

No stabilization as per comments, 9.1.6 is stable.

Added to existing GLSA draft.

Maintainer(s), Thank you for your work!
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-03-26 12:14:05 UTC
Vulnerable versions have been p.masked.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-04-08 09:28:07 UTC
This issue was resolved and addressed in
 GLSA 201404-06 at http://security.gentoo.org/glsa/glsa-201404-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).