From ${URL} : Description A vulnerability has been reported in Mesa, which can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to an input validation error within the "remove_dead_constants()" function (/mesa/drivers/dri/i965/brw_fs.cpp) when handling certain shader values, which can be exploited to cause an out-of-bounds write and corrupt memory. NOTE: This vulnerability affects the Intel platform only. Solution Fixed in the GIT repository. Further details available to Secunia VIM customers Provided and/or discovered by Reported by the vendor. Original Advisory https://bugs.freedesktop.org/show_bug.cgi?id=59429 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
This is fixed in master and 9.1 branch http://cgit.freedesktop.org/mesa/mesa/commit/?id=0677ea063cd96adefe87c1fb01ef7c66d905535b http://cgit.freedesktop.org/mesa/mesa/commit/?h=9.1&id=039cf3aaf23b151d22cb3587062be052a16272a4 It will be included in mesa-9.1.4 which is expected soon.
9.1.4 is released.
*** Bug 477520 has been marked as a duplicate of this bug. ***
CVE-2013-1872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1872): The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the fs_visitor::remove_dead_constants function. NOTE: this issue might be related to CVE-2013-0796.
Vulnerable versions have been removed from the tree or masked. I did not remove all older versions, because some users may still require them.
I removed the mask again so that visibility requirements are met (bug 487964 and bug 488018). Instead I masked the video_cards_intel and video_cards_i965 flags for <=mesa-9.0.3, which will prevent the vulnerable code from being built. These flags are not useful on ppc/ppc64 anyway.
Vulnerable versions have been p.masked.
This issue was resolved and addressed in GLSA 201404-06 at http://security.gentoo.org/glsa/glsa-201404-06.xml by GLSA coordinator Mikle Kolyada (Zlogene).