[Mesa-dev] [PATCH:mesa 0/2] integer overflows in GLX DRI code [CVE-2013-1993]

Brian Paul brianp at vmware.com
Thu May 23 10:16:11 PDT 2013

On 05/23/2013 09:44 AM, Alan Coopersmith wrote:
> The X.Org security team has been notified by a security researcher of bugs in
> the protocol handling code across libX11 & many of its extension libraries.
> These could be exploited in X clients that are setuid or otherwise running
> with raised privileges, if a user could run them with their display set to
> a Xserver they've modified to exploit them (perhaps a custom Xephyr or remote
> Xorg).   More details about these issues can be found in our advisory posting
> at http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 .
> One of the extensions affected is DRI, for which the code is not in a shared
> libXdri, but copied into several locations, including Mesa's GLX library.
> This series of patches corrects these bugs in Mesa's copy.
> Alan Coopersmith (2):
>    integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
>    integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
>   src/glx/XF86dri.c |   15 +++++++++++----
>   1 file changed, 11 insertions(+), 4 deletions(-)

Looks good to me, but a second set of eyes would be good.

One thing: these should probably be tagged with "NOTE: Candidate for the 
stable branches".

Reviewed-by: Brian Paul <brianp at vmware.com>

More information about the mesa-dev mailing list