diff -u mesa-8.0.4/debian/changelog mesa-8.0.4/debian/changelog
--- mesa-8.0.4/debian/changelog
+++ mesa-8.0.4/debian/changelog
@@ -1,3 +1,19 @@
+mesa (8.0.4-0ubuntu0.6) precise-security; urgency=low
+
+  * SECURITY UPDATE: denial of service and possible code execution via
+    out-of-bands access
+    - debian/patches/CVE-2013-1872.patch: check for out-of-bounds reads in
+      src/mesa/drivers/dri/i965/brw_fs.cpp,
+      src/mesa/drivers/dri/i965/brw_fs.h.
+    - CVE-2013-1872
+  * SECURITY UPDATE: denial of service and possible code execution via
+    integer overflows
+    - debian/patches/CVE-2013-1993.patch: check lengths in
+      src/glx/XF86dri.c.
+    - CVE-2013-1993
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 18 Jun 2013 15:22:44 -0400
+
 mesa (8.0.4-0ubuntu0.5) precise-security; urgency=low
 
   * SECURITY UPDATE: denial of service or possible code execution via
diff -u mesa-8.0.4/debian/patches/series mesa-8.0.4/debian/patches/series
--- mesa-8.0.4/debian/patches/series
+++ mesa-8.0.4/debian/patches/series
@@ -20,0 +21,2 @@
+CVE-2013-1872.patch
+CVE-2013-1993.patch
only in patch2:
unchanged:
--- mesa-8.0.4.orig/debian/patches/CVE-2013-1993.patch
+++ mesa-8.0.4/debian/patches/CVE-2013-1993.patch
@@ -0,0 +1,45 @@
+Description: fix denial of service and possible code execution via
+ integer overflows
+Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit?id=2e5a268f18be30df15aed0b44b01a18a37fb5df4
+Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit?id=306f630e676eb901789dd09a0f30d7e7fa941ebe
+
+Index: mesa-9.0.3/src/glx/XF86dri.c
+===================================================================
+--- mesa-9.0.3.orig/src/glx/XF86dri.c	2013-06-18 14:02:56.964519401 -0400
++++ mesa-9.0.3/src/glx/XF86dri.c	2013-06-18 14:04:41.700518402 -0400
+@@ -43,6 +43,7 @@
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
+ #include "xf86dristr.h"
++#include <limits.h>
+ 
+ static XExtensionInfo _xf86dri_info_data;
+ static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
+@@ -201,7 +202,11 @@
+    }
+ 
+    if (rep.length) {
+-      if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
++      if (rep.busIdStringLength < INT_MAX)
++         *busIdString = calloc(rep.busIdStringLength + 1, 1);
++      else
++         *busIdString = NULL;
++      if (*busIdString == NULL) {
+          _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+          UnlockDisplay(dpy);
+          SyncHandle();
+@@ -300,9 +305,11 @@
+    *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
+ 
+    if (rep.length) {
+-      if (!
+-          (*clientDriverName =
+-           (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
++      if (rep.clientDriverNameLength < INT_MAX)
++         *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
++      else
++         *clientDriverName = NULL;
++      if (*clientDriverName == NULL) {
+          _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+          UnlockDisplay(dpy);
+          SyncHandle();
only in patch2:
unchanged:
--- mesa-8.0.4.orig/debian/patches/CVE-2013-1872.patch
+++ mesa-8.0.4/debian/patches/CVE-2013-1872.patch
@@ -0,0 +1,74 @@
+Description: fix denial of service and possible code execution via
+ out-of-bands access
+Origin: backport, http://cgit.freedesktop.org/mesa/mesa/commit/?id=0677ea063cd96adefe87c1fb01ef7c66d905535b
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59429
+
+Index: mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.cpp
+===================================================================
+--- mesa-8.0.4.orig/src/mesa/drivers/dri/i965/brw_fs.cpp	2013-06-18 15:21:02.412474717 -0400
++++ mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.cpp	2013-06-18 15:21:02.408474717 -0400
+@@ -249,6 +249,7 @@
+ 			   import_uniforms_callback,
+ 			   variable_ht);
+    this->params_remap = v->params_remap;
++   this->nr_params_remap = v->nr_params_remap;
+ }
+ 
+ /* Our support for uniforms is piggy-backed on the struct
+@@ -846,6 +847,7 @@
+ {
+    if (c->dispatch_width == 8) {
+       this->params_remap = ralloc_array(mem_ctx, int, c->prog_data.nr_params);
++      this->nr_params_remap = c->prog_data.nr_params;
+ 
+       for (unsigned int i = 0; i < c->prog_data.nr_params; i++)
+ 	 this->params_remap[i] = -1;
+@@ -860,7 +862,14 @@
+ 	    if (inst->src[i].file != UNIFORM)
+ 	       continue;
+ 
+-	    assert(constant_nr < (int)c->prog_data.nr_params);
++	    /* Section 5.11 of the OpenGL 4.3 spec says:
++	     *
++	     *     "Out-of-bounds reads return undefined values, which include
++	     *     values from other variables of the active program or zero."
++	     */
++	    if (constant_nr < 0 || constant_nr >= (int)c->prog_data.nr_params) {
++	       constant_nr = 0;
++	    }
+ 
+ 	    /* For now, set this to non-negative.  We'll give it the
+ 	     * actual new number in a moment, in order to keep the
+@@ -912,6 +921,10 @@
+ 	 if (inst->src[i].file != UNIFORM)
+ 	    continue;
+ 
++	 /* as above alias to 0 */
++	 if (constant_nr < 0 || constant_nr >= (int)this->nr_params_remap) {
++	    constant_nr = 0;
++	 }
+ 	 assert(this->params_remap[constant_nr] != -1);
+ 	 inst->src[i].reg = this->params_remap[constant_nr];
+ 	 inst->src[i].reg_offset = 0;
+Index: mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.h
+===================================================================
+--- mesa-8.0.4.orig/src/mesa/drivers/dri/i965/brw_fs.h	2013-06-18 15:21:02.412474717 -0400
++++ mesa-8.0.4/src/mesa/drivers/dri/i965/brw_fs.h	2013-06-18 15:22:04.716474123 -0400
+@@ -423,6 +423,9 @@
+       this->virtual_grf_use = NULL;
+       this->live_intervals_valid = false;
+ 
++      this->params_remap = NULL;
++      this->nr_params_remap = 0;
++
+       this->kill_emitted = false;
+       this->force_uncompressed_stack = 0;
+       this->force_sechalf_stack = 0;
+@@ -613,6 +616,7 @@
+     * uniform index.
+     */
+    int *params_remap;
++   int nr_params_remap;
+ 
+    struct hash_table *variable_ht;
+    ir_variable *frag_depth;