Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472280 (CVE-2013-1872) - <media-libs/mesa-9.1.4: "remove_dead_constants()" Memory Corruption Vulnerability (CVE-2013-1872)
Summary: <media-libs/mesa-9.1.4: "remove_dead_constants()" Memory Corruption Vulnerabi...
Status: RESOLVED FIXED
Alias: CVE-2013-1872
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53662/
Whiteboard: A3 [glsa]
Keywords:
Depends on: 475480 487964 488018
Blocks:
  Show dependency tree
 
Reported: 2013-06-04 13:28 UTC by Agostino Sarubbo
Modified: 2014-04-08 09:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-04 13:28:22 UTC
From ${URL} :

Description
A vulnerability has been reported in Mesa, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to an input validation error within the "remove_dead_constants()" function (/mesa/drivers/dri/i965/brw_fs.cpp) when 
handling certain shader values, which can be exploited to cause an out-of-bounds write and corrupt memory.

NOTE: This vulnerability affects the Intel platform only.


Solution
Fixed in the GIT repository.
Further details available to Secunia VIM customers

Provided and/or discovered by
Reported by the vendor.

Original Advisory
https://bugs.freedesktop.org/show_bug.cgi?id=59429


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-06-30 12:58:26 UTC
This is fixed in master and 9.1 branch
http://cgit.freedesktop.org/mesa/mesa/commit/?id=0677ea063cd96adefe87c1fb01ef7c66d905535b
http://cgit.freedesktop.org/mesa/mesa/commit/?h=9.1&id=039cf3aaf23b151d22cb3587062be052a16272a4

It will be included in mesa-9.1.4 which is expected soon.
Comment 2 David Heidelberg (okias) 2013-07-20 15:43:48 UTC
9.1.4 is released.
Comment 3 Jeroen Roovers gentoo-dev 2013-07-20 17:16:16 UTC
*** Bug 477520 has been marked as a duplicate of this bug. ***
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-08-28 23:06:59 UTC
CVE-2013-1872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1872):
  The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers
  to cause a denial of service (reachable assertion and crash) and possibly
  execute arbitrary code via vectors involving 3d graphics that trigger an
  out-of-bounds array access, related to the fs_visitor::remove_dead_constants
  function.  NOTE: this issue might be related to CVE-2013-0796.
Comment 5 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-13 17:03:00 UTC
Vulnerable versions have been removed from the tree or masked. I did not remove all older versions, because some users may still require them.
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-10-21 21:44:38 UTC
I removed the mask again so that visibility requirements are met (bug 487964 and bug 488018). Instead I masked the video_cards_intel and video_cards_i965 flags for <=mesa-9.0.3, which will prevent the vulnerable code from being built. These flags are not useful on ppc/ppc64 anyway.
Comment 7 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-03-26 12:13:05 UTC
Vulnerable versions have been p.masked.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-04-08 09:28:09 UTC
This issue was resolved and addressed in
 GLSA 201404-06 at http://security.gentoo.org/glsa/glsa-201404-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).