Bug 5355

Summary: Update request: nvidia-96xx for mga1, CVE-2012-0946
Product: Mageia Reporter: Anssi Hannula <anssi.hannula>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 1Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: nvidia-96xx-96.43.20-1.2.mga1 CVE:
Status comment:

Description Anssi Hannula 2012-04-11 18:15:28 CEST 
Advisory:
====================
A security vulnerability has been found in the NVIDIA proprietary driver which allows any process to reconfigure the GPU and gain access to arbitrary system memory (CVE-2012-0946). This vulnerability has been classified as high risk by NVIDIA.

This update for the legacy nvidia-96xx driver addresses the issue.

References:
http://nvidia.custhelp.com/app/answers/detail/a_id/3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946
====================

The following packages have been uploaded to mga1 nonfree/updates_testing:
dkms-nvidia96xx-96.43.20-1.2.mga1
nvidia96xx-cuda-96.43.20-1.2.mga1
nvidia96xx-devel-96.43.20-1.2.mga1
nvidia96xx-doc-html-96.43.20-1.2.mga1
x11-driver-video-nvidia96xx-96.43.20-1.2.mga1

Source package: nvidia-96xx-96.43.20-1.2.mga1

No testcase for the vulnerability is available.
Manuel Hiebel 2012-06-14 13:06:53 CEST

Component: RPM Packages => Security

Comment 1 Dave Hodgins 2012-06-23 00:47:44 CEST 
Given the security risk is considered high, I think we should go
ahead and validate this update, even though no testers have come
forward.  I have confirmed that the packages install cleanly and
the kernel module compiles ok, on my i586 system.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2012-06-26 23:47:44 CEST 
Validating the update.

Could someone from the sysadmin team push the srpm
nvidia-96xx-96.43.20-1.2.mga1
from Mageia 1 Nonfree Updates Testing to Nonfree Updates.

Advisory: A security vulnerability has been found in the NVIDIA proprietary
driver which allows any process to reconfigure the GPU and gain access to
arbitrary system memory (CVE-2012-0946). This vulnerability has been
classified as high risk by NVIDIA.

This update for the legacy nvidia-96xx driver addresses the issue.

References:
http://nvidia.custhelp.com/app/answers/detail/a_id/3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946

https://bugs.mageia.org/show_bug.cgi?id=5355

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Thomas Backlund 2012-06-27 17:44:31 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0132

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED