Advisory: ==================== A security vulnerability has been found in the NVIDIA proprietary driver which allows any process to reconfigure the GPU and gain access to arbitrary system memory (CVE-2012-0946). This vulnerability has been classified as high risk by NVIDIA. This update for nvidia173 addresses the issue. Additionally, this legacy driver is updated to the version 173.14.31, which fixes a bug that caused freezes and crashes when resizing windows in KDE 4 with desktop effects enabled. References: http://nvidia.custhelp.com/app/answers/detail/a_id/3109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946 ==================== The following packages have been uploaded to mga1 nonfree/updates_testing: dkms-nvidia173-173.14.31-1.mga1 nvidia173-cuda-173.14.31-1.mga1 nvidia173-debug-173.14.31-1.mga1 nvidia173-devel-173.14.31-1.mga1 nvidia173-doc-html-173.14.31-1.mga1 x11-driver-video-nvidia173-173.14.31-1.mga1 Source package: nvidia173-173.14.31-1.mga1 No testcase for the vulnerability is available.
I've submitted a request for testers to the general discussion list.
CC: (none) => davidwhodgins
I've installed dkms-nvidia173, nvidia173-doc-html, and x11-driver-video-nvidia173... all is well. Thanks. OT FYI: the nouveau driver is NOT satisfactory with Geforce FX 5200 so I'm in a holding pattern with regards to putting Mageia2 into production on a couple of machines. At least I've now found official word that Nvidia _is_ working on updates for xserver 1.11 and/or 1.12. see: http://lists.x.org/archives/xorg-devel/2011-August/024752.html -and- http://www.nvnews.net/vbulletin/showthread.php?s=900d698df351f68a2d9dbe12f99d35f5&t=179489&page=2
CC: (none) => inetcustomer-mageia
(In reply to comment #2) > I've installed dkms-nvidia173, nvidia173-doc-html, and > x11-driver-video-nvidia173... all is well. Thanks. Is that on a 32 bit or 64 bit installation?
32
Component: RPM Packages => Security
Given the security risk is considered high, I think we should go ahead and validate this update, even though we only have one arch validate. Any objections?
Validating the update. Could someone from the sysadmin team push the srpm nvidia173-173.14.31-1.mga1 from Mageia 1 Nonfree Updates Testing to Nonfree Updates. Advisory: A security vulnerability has been found in the NVIDIA proprietary driver which allows any process to reconfigure the GPU and gain access to arbitrary system memory (CVE-2012-0946). This vulnerability has been classified as high risk by NVIDIA. This update for nvidia173 addresses the issue. Additionally, this legacy driver is updated to the version 173.14.31, which fixes a bug that caused freezes and crashes when resizing windows in KDE 4 with desktop effects enabled. References: http://nvidia.custhelp.com/app/answers/detail/a_id/3109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946 https://bugs.mageia.org/show_bug.cgi?id=5354
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0131
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED