Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 845063 (CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185) - <x11-drivers/nvidia-drivers-{390.151:0/390,470.129.06:0/470,510.73.05:0/510}: multiple vulnerabilities (CVE-2022-{28181,28183,28184,28185})
Summary: <x11-drivers/nvidia-drivers-{390.151:0/390,470.129.06:0/470,510.73.05:0/510}:...
Status: RESOLVED FIXED
Alias: CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://nvidia.custhelp.com/app/answe...
Whiteboard: A1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-16 18:41 UTC by Ionen Wolkens
Modified: 2023-10-03 12:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2022-05-16 18:41:49 UTC
CVE-2022-28181:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components.

CVE-2022-28183:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.

CVE-2022-28184:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering.

CVE-2022-28185:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering.

CVE-2022-{28191,28192} omitted given vGPU software is not provided in Gentoo

Bumps already in-tree, will stabilize 390.151 and 470.129.06 in ~10 days.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-17 14:38:47 UTC
Thanks ionen! Sorry for the delay in handling
Comment 2 Larry the Git Cow gentoo-dev 2022-05-26 06:07:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3754b69f2626387585d56a278ac015d1cd507484

commit 3754b69f2626387585d56a278ac015d1cd507484
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-05-26 04:38:53 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-05-26 06:06:02 +0000

    x11-drivers/nvidia-drivers: drop vuln 390.147, 470.103.01, 510.68.02
    
    Bug: https://bugs.gentoo.org/845063
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/Manifest                |  15 -
 .../nvidia-drivers/nvidia-drivers-390.147.ebuild   | 424 -------------------
 .../nvidia-drivers-470.103.01.ebuild               | 447 --------------------
 .../nvidia-drivers/nvidia-drivers-510.68.02.ebuild | 458 ---------------------
 4 files changed, 1344 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52f6e0c523603935fc186e24555e42fe63448b00

commit 52f6e0c523603935fc186e24555e42fe63448b00
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-05-26 04:38:22 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-05-26 06:06:02 +0000

    x11-drivers/nvidia-drivers: stabilize 470.129.06 for amd64
    
    Bug: https://bugs.gentoo.org/845063
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-470.129.06.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f758b3f99a201045a90c81ecc16914950532c5f7

commit f758b3f99a201045a90c81ecc16914950532c5f7
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-05-26 04:38:07 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-05-26 06:06:01 +0000

    x11-drivers/nvidia-drivers: stabilize 390.151 for amd64, x86
    
    Bug: https://bugs.gentoo.org/845063
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-390.151.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-29 01:22:30 UTC
Thanks!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-31 04:17:24 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-10-03 12:47:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3

commit e0200868c5e75eb57e7355dc8786db0f79271aa3
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-03 12:45:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-03 12:47:03 +0000

    [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/764512
    Bug: https://bugs.gentoo.org/784596
    Bug: https://bugs.gentoo.org/803389
    Bug: https://bugs.gentoo.org/832867
    Bug: https://bugs.gentoo.org/845063
    Bug: https://bugs.gentoo.org/866527
    Bug: https://bugs.gentoo.org/881341
    Bug: https://bugs.gentoo.org/884045
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)