#1140473 trixie-pu: package mesa/25.0.7-2+deb13u1

#1140473#5
Date:
2026-06-21 10:42:48 UTC
From:
To:
Hi,

as part of LTS I was working on fixing CVE-2026-40393,
a out-of-bounds memory access vulnerabilty [1].

The upstream patch are these two commits:
https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e (mesa-26.0.1)
https://gitlab.freedesktop.org/mesa/mesa/-/commit/45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 (mesa-26.0.1)
The patches mostly applied cleanly -- only .pick_status.json and the
include sections of the patches needed rework, as the set of includes
were different at the trixie version.

Additionally, the helper-macro STACK_ARRAY had to be backported.
(Technically this macro exists already in another file in the version in trixie,
in the file src/vulkan/util/vk_util.h, however, I've choosen to have it
in a dedicated file as the vk_util.h pulls in a lots of extra stuff by
it's includes)

I've tested the patches in a trixie VM; mesa's test suite is happy too
and I've also (as upstream suggested) tested the patches with piglit
[2], also happy. (upstream suggests dEQP, however, I couldn't get this
working at all.)

I've reached out the the mesa maintainers for an RFC, hoewever, I didn't
get any response.

The maintainers git repo had also a commit targeting #1116427 authored
by josch. I've choosen not to apply that patch and have a CVE-dediated
update (I can't test on ARM Mali G52 arch, I don't have the hardware)


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

I'll also propose a update for bookworm to mitigate this CVE.

[1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-40393
[2] https://docs.mesa3d.org/submittingpatches.html#testing-patches

#1140473#12
Date:
2026-06-26 09:27:19 UTC
From:
To:
I've uploaded the package to the S-P-U-NEW queue.
#1140473#17
Date:
2026-06-27 19:16:04 UTC
From:
To:
package release.debian.org
tags 1140473 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: mesa
Version: 25.0.7-2+deb13u1

Explanation: fix WebGPU/SPIR-V allocation handling [CVE-2026-40393]

#1140473#22
Date:
2026-06-27 19:16:04 UTC
From:
To:
package release.debian.org
tags 1140473 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: mesa
Version: 25.0.7-2+deb13u1

Explanation: fix WebGPU/SPIR-V allocation handling [CVE-2026-40393]