845063 – (CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185) <x11-drivers/nvidia-drivers-{390.151:0/390,470.129.06:0/470,510.73.05:0/510}: multiple vulnerabilities (CVE-2022-{28181,28183,28184,28185})

Bug 845063 (CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185) - <x11-drivers/nvidia-drivers-{390.151:0/390,470.129.06:0/470,510.73.05:0/510}: multiple vulnerabilities (CVE-2022-{28181,28183,28184,28185})

Summary: <x11-drivers/nvidia-drivers-{390.151:0/390,470.129.06:0/470,510.73.05:0/510}:...

Status:	RESOLVED FIXED

Alias:	CVE-2022-28181, CVE-2022-28183, CVE-2022-28184, CVE-2022-28185

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	https://nvidia.custhelp.com/app/answe...
Whiteboard:	A1 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2022-05-16 18:41 UTC by Ionen Wolkens
Modified:	2023-10-03 12:49 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ionen Wolkens gentoo-dev

2022-05-16 18:41:49 UTC

CVE-2022-28181:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components.

CVE-2022-28183:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.

CVE-2022-28184:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering.

CVE-2022-28185:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering.

CVE-2022-{28191,28192} omitted given vGPU software is not provided in Gentoo

Bumps already in-tree, will stabilize 390.151 and 470.129.06 in ~10 days.

Comment 1 John Helmert III archtester

2022-05-17 14:38:47 UTC

Thanks ionen! Sorry for the delay in handling

Comment 2 Larry the Git Cow gentoo-dev

2022-05-26 06:07:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3754b69f2626387585d56a278ac015d1cd507484

commit 3754b69f2626387585d56a278ac015d1cd507484
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-05-26 04:38:53 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-05-26 06:06:02 +0000

    x11-drivers/nvidia-drivers: drop vuln 390.147, 470.103.01, 510.68.02
    
    Bug: https://bugs.gentoo.org/845063
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/Manifest                |  15 -
 .../nvidia-drivers/nvidia-drivers-390.147.ebuild   | 424 -------------------
 .../nvidia-drivers-470.103.01.ebuild               | 447 --------------------
 .../nvidia-drivers/nvidia-drivers-510.68.02.ebuild | 458 ---------------------
 4 files changed, 1344 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52f6e0c523603935fc186e24555e42fe63448b00

commit 52f6e0c523603935fc186e24555e42fe63448b00
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-05-26 04:38:22 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-05-26 06:06:02 +0000

    x11-drivers/nvidia-drivers: stabilize 470.129.06 for amd64
    
    Bug: https://bugs.gentoo.org/845063
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-470.129.06.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f758b3f99a201045a90c81ecc16914950532c5f7

commit f758b3f99a201045a90c81ecc16914950532c5f7
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-05-26 04:38:07 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-05-26 06:06:01 +0000

    x11-drivers/nvidia-drivers: stabilize 390.151 for amd64, x86
    
    Bug: https://bugs.gentoo.org/845063
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-390.151.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 John Helmert III archtester

2022-05-29 01:22:30 UTC

Thanks!

Comment 4 John Helmert III archtester

2023-05-31 04:17:24 UTC

GLSA request filed

Comment 5 Larry the Git Cow gentoo-dev

2023-10-03 12:47:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3

commit e0200868c5e75eb57e7355dc8786db0f79271aa3
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-03 12:45:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-03 12:47:03 +0000

    [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/764512
    Bug: https://bugs.gentoo.org/784596
    Bug: https://bugs.gentoo.org/803389
    Bug: https://bugs.gentoo.org/832867
    Bug: https://bugs.gentoo.org/845063
    Bug: https://bugs.gentoo.org/866527
    Bug: https://bugs.gentoo.org/881341
    Bug: https://bugs.gentoo.org/884045
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)