#1140495 bookworm-pu: package mesa/22.3.6-1+deb12u2

#1140495#5
Date:
2026-06-21 14:54:53 UTC
From:
To:
Hi,

as part of LTS I was working on fixing CVE-2026-40393,
a out-of-bounds memory access vulnerabilty [1].

The upstream patch are these two commits:
https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e (mesa-26.0.1)
https://gitlab.freedesktop.org/mesa/mesa/-/commit/45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 (mesa-26.0.1)
The patches mostly applied cleanly -- only .pick_status.json and the
include sections of the patches needed rework, as the set of includes
were different at the trixie version.

Additionally, the helper-macro STACK_ARRAY had to be backported.
(Technically this macro exists already in another file in the version in trixie,
in the file src/vulkan/util/vk_util.h, however, I've choosen to have it
in a dedicated file as the vk_util.h pulls in a lots of extra stuff by
it's includes)

I've tested the patches in a bookworm VM; mesa's test suite is happy too
and I've also (as upstream suggested) tested the patches with piglit
[2], also happy. (upstream suggests dEQP, however, I couldn't get this
working at all.)

I've reached out the the mesa maintainers for an RFC, hoewever, I didn't
get any response.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-40393
[2] https://docs.mesa3d.org/submittingpatches.html#testing-patches

#1140495#12
Date:
2026-06-26 09:26:57 UTC
From:
To:
I've just uploaded the package to the O-S-P-U-NEW queue.
#1140495#17
Date:
2026-06-27 14:36:27 UTC
From:
To:
package release.debian.org
tags 1140495 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: mesa
Version: 22.3.6-1+deb12u2

Explanation: fix WebGPU/SPIR-V allocation handling [CVE-2026-40393]

#1140495#22
Date:
2026-06-27 14:36:27 UTC
From:
To:
package release.debian.org
tags 1140495 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: mesa
Version: 22.3.6-1+deb12u2

Explanation: fix WebGPU/SPIR-V allocation handling [CVE-2026-40393]