>=x11-driversnvidia-drivers-195.x && <x11-drivers/nvidia-drivers-295.40 are affected by CVE-2012-0946 We mitigate this somewhat by not using NVIDIA's default permissions of 666 but instead use 660 for root:video.
NVIDIA's response and info: http://nvidia.custhelp.com/app/answers/detail/a_id/3109
Fixed ebuild is committed to the tree.
amd64 & x86: please stabilize
amd64 stable
x86 stable, all arches done.
Thanks, everyone. GLSA vote: yes.
Please revert: http://www.nvnews.net/vbulletin/showthread.php?p=2546510#post2546510 In short, graphical corruption, performance issues, crashes and temporary hangs in some cards.
(In reply to comment #7) > Please revert: > http://www.nvnews.net/vbulletin/showthread.php?p=2546510#post2546510 > > In short, graphical corruption, performance issues, crashes and temporary > hangs in some cards. Please open a new bug if you have issues with the updated drivers. This bug is regarding the fix of a specific security issue. GLSA vote: yes. Creating new GLSA request.
(In reply to comment #7) > Please revert: > http://www.nvnews.net/vbulletin/showthread.php?p=2546510#post2546510 > > In short, graphical corruption, performance issues, crashes and temporary > hangs in some cards. We do not hold back releases that affect a minority of card users. The NVIDIA drivers are binary only and as such are a best effort. I always recommend people find a release that works well for them on their cards and stick with that release until they have a reason to move forward. Especially if you're a user of older cards which are less tested or supported. The issues you're complaining about affect G80 GPUs and lower. Which include GeForce 6 and GeForce 7 and the initial GeForce 8800GTX cards. That being said, before people are upset that users of G80 GPUs and older won't have a security fix. This bug affects Gentoo users less than it does other distros. Other distros have had their NVIDIA device nodes set to 666, while Gentoo has always used 660 so it would have required the user give another user account access to the device node before the attack could have worked.
CVE-2012-0946 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0946): The NVIDIA UNIX driver before 295.40 allows local users to access arbitrary memory locations by leveraging GPU device-node read/write privileges.
Is this regression the same one mentioned in the release notes for nvidia drivers 295.49? (in regards to comment #7)
security team, GLSA is out and all old versions are out of the tree. What's left?
This issue was resolved and addressed in GLSA 201206-19 at http://security.gentoo.org/glsa/glsa-201206-19.xml by GLSA coordinator Sean Amoss (ackle).