Bug 5354

Summary: Update request: nvidia173 for mga1, CVE-2012-0946
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, inetcustomer-mageia, sysadmin-bugs, tmb
Version: 1Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nvidia173-173.14.31-1.mga1 CVE:
Status comment:

Description Anssi Hannula 2012-04-11 18:08:05 CEST 
Advisory:
====================
A security vulnerability has been found in the NVIDIA proprietary driver which allows any process to reconfigure the GPU and gain access to arbitrary system memory (CVE-2012-0946). This vulnerability has been classified as high risk by NVIDIA.

This update for nvidia173 addresses the issue. Additionally, this legacy driver is updated to the version 173.14.31, which fixes a bug that caused freezes and crashes when resizing windows in KDE 4 with desktop effects enabled.

References:
http://nvidia.custhelp.com/app/answers/detail/a_id/3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946
====================

The following packages have been uploaded to mga1 nonfree/updates_testing:
dkms-nvidia173-173.14.31-1.mga1
nvidia173-cuda-173.14.31-1.mga1
nvidia173-debug-173.14.31-1.mga1
nvidia173-devel-173.14.31-1.mga1
nvidia173-doc-html-173.14.31-1.mga1
x11-driver-video-nvidia173-173.14.31-1.mga1

Source package: nvidia173-173.14.31-1.mga1

No testcase for the vulnerability is available.
Comment 1 Dave Hodgins 2012-05-11 00:11:00 CEST 
I've submitted a request for testers to the general discussion list.

CC: (none) => davidwhodgins

Comment 2 Big YellowHats 2012-05-11 20:56:43 CEST 
I've installed dkms-nvidia173, nvidia173-doc-html, and x11-driver-video-nvidia173... all is well.   Thanks.

OT FYI: the nouveau driver is NOT satisfactory with Geforce FX 5200 so I'm in a holding pattern with regards to putting Mageia2 into production on a couple of machines.  At least I've now found official word that Nvidia _is_ working on updates for xserver 1.11 and/or 1.12.  see: http://lists.x.org/archives/xorg-devel/2011-August/024752.html
   -and-
 http://www.nvnews.net/vbulletin/showthread.php?s=900d698df351f68a2d9dbe12f99d35f5&t=179489&page=2

CC: (none) => inetcustomer-mageia

Comment 3 Dave Hodgins 2012-05-11 22:58:43 CEST 
(In reply to comment #2)
> I've installed dkms-nvidia173, nvidia173-doc-html, and
> x11-driver-video-nvidia173... all is well.   Thanks.

Is that on a 32 bit or 64 bit installation?
Comment 4 Big YellowHats 2012-05-12 00:49:00 CEST 
 32
Manuel Hiebel 2012-06-14 13:07:24 CEST

Component: RPM Packages => Security

Comment 5 Dave Hodgins 2012-06-23 00:42:12 CEST 
Given the security risk is considered high, I think we should go
ahead and validate this update, even though we only have one arch
validate.  Any objections?
Comment 6 Dave Hodgins 2012-06-26 23:44:56 CEST 
Validating the update.

Could someone from the sysadmin team push the srpm
nvidia173-173.14.31-1.mga1
from Mageia 1 Nonfree Updates Testing to Nonfree Updates.

Advisory: A security vulnerability has been found in the NVIDIA proprietary
driver which allows any process to reconfigure the GPU and gain access to
arbitrary system memory (CVE-2012-0946). This vulnerability has been classified
as high risk by NVIDIA.

This update for nvidia173 addresses the issue. Additionally, this legacy driver
is updated to the version 173.14.31, which fixes a bug that caused freezes and
crashes when resizing windows in KDE 4 with desktop effects enabled.

References:
http://nvidia.custhelp.com/app/answers/detail/a_id/3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946

https://bugs.mageia.org/show_bug.cgi?id=5354

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2012-06-27 17:37:43 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0131

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED