Hi,
as part of LTS I was working on fixing CVE-2026-40393,
a out-of-bounds memory access vulnerabilty [1].
The upstream patch are these two commits:
https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e (mesa-26.0.1)
https://gitlab.freedesktop.org/mesa/mesa/-/commit/45ce75f3bcd638dcf7daae09f9bf0b7c015b81c4 (mesa-26.0.1)
The patches mostly applied cleanly -- only .pick_status.json and the
include sections of the patches needed rework, as the set of includes
were different at the trixie version.
Additionally, the helper-macro STACK_ARRAY had to be backported.
(Technically this macro exists already in another file in the version in trixie,
in the file src/vulkan/util/vk_util.h, however, I've choosen to have it
in a dedicated file as the vk_util.h pulls in a lots of extra stuff by
it's includes)
I've tested the patches in a bookworm VM; mesa's test suite is happy too
and I've also (as upstream suggested) tested the patches with piglit
[2], also happy. (upstream suggests dEQP, however, I couldn't get this
working at all.)
I've reached out the the mesa maintainers for an RFC, hoewever, I didn't
get any response.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-40393
[2] https://docs.mesa3d.org/submittingpatches.html#testing-patches