Advisory: ==================== A security vulnerability has been found in the NVIDIA proprietary driver which allows any process to reconfigure the GPU and gain access to arbitrary system memory (CVE-2012-0946). This vulnerability has been classified as high risk by NVIDIA. This update for the nvidia-current driver addresses the issue. The CUDA debugger (cuda-gdb) of the NVIDIA CUDA Toolkit will stop functioning after this update. If you need to use the CUDA debugger, you are suggested to install the 295.40 version of the NVIDIA proprietary driver by following the instructions at https://bugs.mageia.org/show_bug.cgi?id=5392#c1 . If you do not use the CUDA debugger, no action is necessary beyond installing this security update (275.09.07-1.1.mga1). References: http://nvidia.custhelp.com/app/answers/detail/a_id/3109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946 ==================== The following packages have been uploaded to mga1 nonfree/updates_testing: dkms-nvidia-current-275.09.07-1.1.mga1 nvidia-current-cuda-opencl-275.09.07-1.1.mga1 nvidia-current-devel-275.09.07-1.1.mga1 nvidia-current-doc-html-275.09.07-1.1.mga1 x11-driver-video-nvidia-current-275.09.07-1.1.mga1 Source package: nvidia-current-275.09.07-1.1.mga1 No testcase for the vulnerability is available.
Created attachment 1984 [details] Script for generating packages of the NVIDIA driver =================== Instructions for updating to NVIDIA proprietary driver 295.40 for users that need to use the CUDA debugger (cuda-gdb) =================== Download to the same directory the nvidia-mgabuild.sh script attached to this bug report and the NVIDIA proprietary driver for your architecture: ftp://download.nvidia.com/XFree86/Linux-x86/295.40/NVIDIA-Linux-x86-295.40.run ftp://download.nvidia.com/XFree86/Linux-x86_64/295.40/NVIDIA-Linux-x86_64-295.40.run Then run this command: sh nvidia-mgabuild.sh NVIDIA-Linux-file-name.run The command will generate updated NVIDIA driver packages to the current directory, which you can then install with the "urpmi" command.
The URL in the advisory should be https://bugs.mageia.org/show_bug.cgi?id=5393#c1 , please change it when submitting/validating.
Testing complete for the srpm nvidia-current-275.09.07-1.1.mga1 on Mageia release 1 (Official) for x86_64 ,for me it's good and works fine.Nothing to report. x11-driver-video-nvidia-current-275.09.07-1.1.mga1.nonfree dkms-nvidia-current-275.09.07-1.1.mga1.nonfree nvidia-current-doc-html-275.09.07-1.1.mga1.nonfree -Install ,Ok -In console :# nvidia-xconfig ,Ok -Reboot ,Ok -Use nvidia-settings ,Ok -Use of 3D effects with Kwin ,Ok My graphics card nvidia is a: G72M [Quadro NVS 110M/GeForce Go 7300]
CC: (none) => geiger.david68210
Tested ok x86_64 also with 8500GT. I don't know how we will test other versions of this, perhaps a message to dev or discuss ML. As this disables cuda-gdb it would probably be worth adding the info in a readme.urpmi which displays when it is upgraded as the advisory info is not displayed anywhere other than the updates ML.
Given that we are short of testers with the required hardware and that this is actually a security update, I think we should push these. There are bug 5354 and bug bug 5355 also. Both this one and bug 5354 have been tested with one architecture but we haven't found anybody with the hardware to test 5355. Any objections to doing so?
A broken video driver would be catastrophic for a newbie. I've posted a request for testers to the general discussion list.
CC: (none) => davidwhodgins
I thought we'd already tried that. My bad.
Working fine on x86_64 with a GeForce 7600 GS, using dkms for kernel module.
CC: (none) => r.h.michel+mageia
I have a GForce GT430. 86-32. Works fine.
CC: (none) => gmontalbine
Component: RPM Packages => Security
working fine on i586 with : Card:NVIDIA GeForce 6100 to GeForce 360: nVidia Corporation|G96 [GeForce 9600M GT] [DISPLAY_VGA] (rev: a1)
CC: (none) => stormi
As we've now had some testing on both architectures, I'll go ahead and validate this update. Could someone from the sysadmin team push the srpm nvidia-current-275.09.07-1.1.mga1 from Mageia 1 Nonfree Updates Testing to Nonfree Updates. Advisory: ==================== A security vulnerability has been found in the NVIDIA proprietary driver which allows any process to reconfigure the GPU and gain access to arbitrary system memory (CVE-2012-0946). This vulnerability has been classified as high risk by NVIDIA. This update for the nvidia-current driver addresses the issue. The CUDA debugger (cuda-gdb) of the NVIDIA CUDA Toolkit will stop functioning after this update. If you need to use the CUDA debugger, you are suggested to install the 295.40 version of the NVIDIA proprietary driver by following the instructions at https://bugs.mageia.org/show_bug.cgi?id=5392#c1 . If you do not use the CUDA debugger, no action is necessary beyond installing this security update (275.09.07-1.1.mga1). For users that need to use the CUDA debugger (cuda-gdb) see https://bugs.mageia.org/show_bug.cgi?id=5393#c1 References: http://nvidia.custhelp.com/app/answers/detail/a_id/3109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946 https://bugs.mageia.org/show_bug.cgi?id=5393
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => mga1-32-OK, mga1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0125
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED