From $URL : Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5129 to the following vulnerability: Heap-based buffer overflow in the WebGL subsystem in Google Chrome OS before 23.0.1271.94 allows remote attackers to cause a denial of service (GPU process crash) or possibly have unspecified other impact via unknown vectors. External References: http://googlechromereleases.blogspot.com/2012/11/stable-update-for-chrome-os_30.html https://code.google.com/p/chromium/issues/detail?id=145525 Proposed patch: http://www.mail-archive.com/mesa-dev@lists.freedesktop.org/msg29015.html
Fixed since 9.0.3/9.1. Do we want to stable 9.0.3, or just cleanup?
mesa-9.0.3 is affected by CVE-2013-1993, so there is little point in stabilizing that. If/when upstream releases 9.0.4 with that fixed we will consider for stabilization.
Well, we still have vulnerable stuff in tree. I don't suppose we can remove 9.0.*?
CVE-2013-1993 is fixed in upstream's 9.0 branch, but no release was made from that branch since then. As some users still depend on old mesa, p.masking affected versions is probably better.
Vulnerable versions no longer in tree No stabilization as per comments, 9.1.6 is stable. Added to existing GLSA draft. Maintainer(s), Thank you for your work!
Vulnerable versions have been p.masked.
This issue was resolved and addressed in GLSA 201404-06 at http://security.gentoo.org/glsa/glsa-201404-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).