Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 151635

Summary: x11-drivers/nvidia-drivers: Nvidia binary driver local root privilege escalation (CVE-2006-5379)
Product: Gentoo Security Reporter: Vinícius Dias dos Santos <vininim>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: bugreports, hkbst, madman2003, masterdriverz, p.bouvard, polynomial-c, rich0, sgtphou, wblew, x11-drivers
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.rapid7.com/advisories/R7-0025.jsp
Whiteboard: B1 [glsa] Falco
Package list:
Runtime testing required: ---
Attachments:
Description Flags
emerge --info none

Description Vinícius Dias dos Santos 2006-10-16 14:00:30 UTC 
Already disclosured to the public, it's described here:
http://www.rapid7.com/advisories/R7-0025.jsp
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-16 14:09:23 UTC 
Thanks
(to be confirmed)
Comment 2 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-16 15:09:47 UTC 
It looks like the problems are fixed in the 962* drivers, but those are beta ad are not 100% stable yet.  Waiting for an official patch/release to resolve this from UPSTREAM.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-16 15:38:46 UTC 
OK, i let this bug in [upstream] status.
Comment 4 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-17 06:11:30 UTC 
http://www.nvnews.net/vbulletin/showthread.php?t=78322

So what's the best course of action here?

http://download.nvidia.com/XFree86/Linux-x86/1.0-7184/README/readme.txt

The 7184 nvidia-legacy-drivers are *not* vulnerable *by default* but someone could manually enable RenderAccel.  The 8774 nvidia-drivers *are* vulnerable, but there is a workaround, since I do not feel comfortable asking for beta drivers to be marked stable.
Comment 5 Andy Botting 2006-10-17 16:26:44 UTC 
Shouldn't an entry of the GLSA be done already for this?
Comment 6 William Blew 2006-10-17 22:56:08 UTC 
(In reply to comment #0)
> Already disclosured to the public, it's described here:
> http://www.rapid7.com/advisories/R7-0025.jsp

There is an nVidia response for the 8*** drivers here: http://www.nvnews.net/vbulletin/showthread.php?t=78322

Its reproduced below:
>Disabling RenderAccel:
>Option "RenderAccel" "False"
>will serve as a workaround for those who are not comfortable with running a >1.0-962x driver.

>As noted above, both 1.0-9625 & 1.0-9626 already have this vulnerability fixed.

>Thanks,
>Lonni
Comment 7 Marijn Schouten (RETIRED) gentoo-dev 2006-10-18 04:14:46 UTC 
this option is to be put in the Device section(s) I gather.
Comment 8 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-18 15:10:48 UTC 
Yes.
Comment 9 Vinícius Dias dos Santos 2006-10-19 10:04:59 UTC 
They released a driver with a fix for the issue in:
http://www.nvidia.com/object/unix.html

I sugest to mask the vunerable drivers as soon as an ebuild for the new release is
working.
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-20 06:15:38 UTC 
OK, 1.0.8776 is now in the tree.  This solves the problem for nvidia-drivers.  If nvidia-legacy-drivers is vulnerable, it isn't vulnerable in the default configuration, and RenderAccel isn't stable in those drivers.

Please mark nvidia-drivers-1.0.8776 stable on amd64/x86.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2006-10-20 08:27:06 UTC 
Created attachment 100092 [details]
emerge --info
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2006-10-20 08:29:00 UTC 
- nvidia-drivers-1.0.8776 emerges fine on amd64
- passes collision-test
- passes multilib-strict
- works fine for me


'emerge --info' see attachment.
Comment 13 Patrice Bouvard 2006-10-21 15:17:33 UTC 
(In reply to comment #5)
> Shouldn't an entry of the GLSA be done already for this?
> 

I agree, the GLSA is still missing.
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-21 23:32:25 UTC 
(In reply to comment #13)
> (In reply to comment #5)
> > Shouldn't an entry of the GLSA be done already for this?
> > 
> 
> I agree, the GLSA is still missing.


 Because x86 still needs to go stable.  I have no hardware to test the driver, so ping to x86 team.
Comment 15 Markus Meier gentoo-dev 2006-10-22 05:41:37 UTC 
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.13 i686)
=================================================================
System uname: 2.6.17.13 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.5
Last Sync: Sun, 22 Oct 2006 09:50:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 16 Jakub Moc (RETIRED) gentoo-dev 2006-10-22 11:13:38 UTC 
*** Bug 152330 has been marked as a duplicate of this bug. ***
Comment 17 Joshua Jackson (RETIRED) gentoo-dev 2006-10-23 19:30:50 UTC 
x86 stable ^.^
Comment 18 Simon Stelling (RETIRED) gentoo-dev 2006-10-24 02:09:32 UTC 
amd64 stable too, have fun with the glsa
Comment 19 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-07 08:36:41 UTC 
Comment Required
You have to specify a comment on this change. Please explain your change.

Please press Back and try again.
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-07 14:46:39 UTC 
GLSA 200611-03

Thanks to everybody, sorry for the delay.