Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 904943 (CVE-2023-0193, CVE-2023-25511, CVE-2023-25512, CVE-2023-25513, CVE-2023-25514)

Summary: <dev-util/nvidia-cuda-toolkit-12.1.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: trivial CC: ajak, sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
Whiteboard: ~1 [noglsa cleanup]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-24 02:40:59 UTC 
CVE-2023-25511:

NVIDIA CUDA Toolkit for Linux and Windows contains a vulnerability in cuobjdump, where a division-by-zero error may enable a user to cause a crash, which may lead to a limited denial of service.

CVE-2023-25512:

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds memory read by running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure.

CVE-2023-25513:

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds read by tricking a user into running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure.

CVE-2023-25514:

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in cuobjdump, where an attacker may cause an out-of-bounds read by tricking a user into running cuobjdump on a malformed input file. A successful exploit of this vulnerability may lead to limited denial of service, code execution, and limited information disclosure.

Fix is "12.1 Update 1", please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-25 01:40:17 UTC 
CVE-2023-0193 (https://nvidia.custhelp.com/app/answers/detail/a_id/5446):

NVIDIA CUDA Toolkit SDK contains a vulnerability in cuobjdump, where a local user running the tool against a malicious binary may cause an out-of-bounds read, which may result in a limited denial of service and limited information disclosure.

Fix is 12.1 (so should be fixed in-tree, but including here for tracking)