Week late report from Feb 1 (missed these given only checked CVEs on Jan 31 when nvidia-drivers-470.103.01 released with no mentions of this). CVE‑2022‑21813: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service. CVE‑2022‑21814: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service. (same?) This is likely limited to trusted users also in "video" group, which sounds trivial. From 0/470 branch, <470.103.01 is affected (in-tree since Jan 31) From 0/510 branch, <510.47.03 is affected (in-tree since Feb 1) Security bulletin makes no note of 390 and 460 branches which may or may not be affected (460 will not be kept for that much longer either way as it'll block cleanup of old Xorg, currently kept due to ongoing regressions with backlight controls -- nvidia still supports 390 and so "should" have updated if it was affected). 470.62.22:0/vulkan may be affected but is masked and intended only for people understanding that this version can be buggy/insecure (it is for vulkan software developers). Stabilization for 470.103.01 coming in a little after testing + cleanup of 470.94+495.44+495.46 (510.39.01 was already removed 2 days ago, 495 is in-between 470 and 510 and most likely affected -- 495 was kept due to another regression but affected users should use 470.103.01 which is not affected by the regression).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48948713f238a734ddc80071ddb60fa9e6d5a966 commit 48948713f238a734ddc80071ddb60fa9e6d5a966 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-02-07 20:52:36 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-02-07 21:11:40 +0000 x11-drivers/nvidia-drivers: drop vulnerable 470.94, 495.* Users affected by bug #830482 (with unpatched Xorg) should use stable 470.103.01 rather than vulnerable 495.44-r2. Bug: https://bugs.gentoo.org/830482 Bug: https://bugs.gentoo.org/832867 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> x11-drivers/nvidia-drivers/Manifest | 21 - .../nvidia-drivers/nvidia-drivers-470.94.ebuild | 445 ------------------- .../nvidia-drivers/nvidia-drivers-495.44-r2.ebuild | 493 --------------------- .../nvidia-drivers-495.46-r10.ebuild | 462 ------------------- 4 files changed, 1421 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ff3c98c8dbc8b4a14aaf6caf8ef34b841a4d39e commit 5ff3c98c8dbc8b4a14aaf6caf8ef34b841a4d39e Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-02-07 20:52:21 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-02-07 20:56:21 +0000 x11-drivers/nvidia-drivers: stabilize 470.103.01 for amd64 Bug: https://bugs.gentoo.org/832867 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> x11-drivers/nvidia-drivers/nvidia-drivers-470.103.01.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks Ionen!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6760422f09a51c212b201967a25ca8774b0d594 commit f6760422f09a51c212b201967a25ca8774b0d594 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-03-02 09:16:27 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-03-02 09:53:25 +0000 x11-drivers/nvidia-drivers: drop vulnerable 460.91.03-r2 460 branch was meant to be removed months ago but was kept due to known regressions affecting some users (bug #780126, bug #809482, and some other rumored issues). These regressions are not (fully) resolved but given NVIDIA no longer supports this branch, doesn't report if it's affected by vulnerabilities anymore (bug #832867, safe to say it most likely is), need patches for current stable kernel branch, and it relies on old Xorg ABI preventing future Xorg cleanups -- believe time to give it up. Users that /really/ need it are free to use a local overlay at their own risks, and may want to try IgnoreABI with xorg-21. Bug: https://bugs.gentoo.org/780126 Bug: https://bugs.gentoo.org/809482 Bug: https://bugs.gentoo.org/832867 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> x11-drivers/nvidia-drivers/Manifest | 6 - .../nvidia-drivers-460.91.03-r2.ebuild | 411 --------------------- 2 files changed, 417 deletions(-)
Is 390.* affected?
(In reply to John Helmert III from comment #4) > Is 390.* affected? nvidia didn't list it as affected while the 390 branch is still officially supported (until December 2022) and they've been releasing fixed versions for 390 when vulnerabilities came up. So, as far as I'm aware, it's not.
Ok, thanks!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3 commit e0200868c5e75eb57e7355dc8786db0f79271aa3 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-03 12:45:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-03 12:47:03 +0000 [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/764512 Bug: https://bugs.gentoo.org/784596 Bug: https://bugs.gentoo.org/803389 Bug: https://bugs.gentoo.org/832867 Bug: https://bugs.gentoo.org/845063 Bug: https://bugs.gentoo.org/866527 Bug: https://bugs.gentoo.org/881341 Bug: https://bugs.gentoo.org/884045 Bug: https://bugs.gentoo.org/903614 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+)