532342 – (CVE-2014-8298) <x11-drivers/nvidia-drivers-{304.125,331.113,340.65,346.22}: Denial of service and arbitrary code execution through GLX indirect rendering protocol requests (CVE-2014-8298)

Bug 532342 (CVE-2014-8298) - <x11-drivers/nvidia-drivers-{304.125,331.113,340.65,346.22}: Denial of service and arbitrary code execution through GLX indirect rendering protocol requests (CVE-2014-8298)

Summary: <x11-drivers/nvidia-drivers-{304.125,331.113,340.65,346.22}: Denial of servic...

Status:	RESOLVED FIXED

Alias:	CVE-2014-8298

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://nvidia.custhelp.com/app/answer...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-12-12 08:17 UTC by Agostino Sarubbo
Modified:	2016-11-27 12:03 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-12-12 08:17:21 UTC

http://nvidia.custhelp.com/app/answers/detail/a_id/3610

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-12-12 09:46:56 UTC

<x11-drivers/nvidia-drivers-304 is in package.mask now.

All versions mentioned in [URL] are stable except 346.22 which is a beta and should not go stable.

Comment 2 stream009 2014-12-13 08:23:57 UTC

Hi. The driver I'm using (version 96.43.23) get masked today.
I was aware of its vulnerability so I just unmask it.

What I wanna ask is whether you plan to remove masked packages or not.
If you plan to remove them I need to create my own overlay.

Neuveou open source driver doesn't support old card well, so I need to keep using vulnerable nvidia driver.

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2014-12-17 07:06:25 UTC

(In reply to stream009 from comment #2)
> What I wanna ask is whether you plan to remove masked packages or not.

I intend to keep them for now.

> If you plan to remove them I need to create my own overlay.

You should probably do that anyway, but keep in mind that dependencies such as <x11-base/xorg-server-1.12.99:= and compatible kernel sources might start disappearing as well.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2015-01-04 20:39:20 UTC

CVE-2014-8298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8298):
  The NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before
  R331.113, R340.x before R340.65, R343.x before R343.36, and R346.x before
  R346.22, Linux for Tegra (L4T) driver before R21.2, and Chrome OS driver
  before R40 allows remote attackers to cause a denial of service
  (segmentation fault and X server crash) or possibly execute arbitrary code
  via a crafted GLX indirect rendering protocol request.

Comment 5 Roger 2015-01-09 02:43:10 UTC

I think the nvidia-drivers-96, etc, are still quite popular.

Also, standard Gentoo is not hardened or secured Gentoo.

It's also a well known or assumed fact binaries are an inherent security risk to begin with.  Users should have a choice to run known problem executables, as sometimes not all risks can be obliterated.

Once you mask this package from being installed, you also deter future bugs being filed against the nvidia-drivers package, hence the imminent removal of the nvidia-drivers version less than 300.  And, hard masking is not a good sign at all!

Gentoo is likely one of the last few distributions (if not the last) that still offers the nvidia-drivers-96 version alongside the required older XOrg versions for nvidia-drivers-96 to function properly.  I say lets keep it this way until my x86 laptop dies.

Not to further mention, Nouveau is still not as stable or productive as even these older NVidia binaries!

Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev

2015-02-11 10:01:58 UTC

(In reply to Jeroen Roovers from comment #3)
> > If you plan to remove them I need to create my own overlay.
> 
> You should probably do that anyway, but keep in mind that dependencies such
> as <x11-base/xorg-server-1.12.99:= and compatible kernel sources might start
> disappearing as well.

Indeed, x11 team maintains xorg-server-1.12 for now, but not indefinitely. Once the backporting of security patches (such as today's bug 539692) becomes too difficult or burdensome, we will drop this version.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-23 00:25:43 UTC

=x11-drivers/nvidia-drivers-346.22 also went stable afterwards.

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-23 00:25:57 UTC

@ Security: Please vote!

Comment 9 Roger 2016-11-23 06:09:17 UTC

Although my laptop depends on nvidia-drivers-96, the laptop has been using Nouveau for the past years due to the unavailability of the nvidia-drivers-96.

One of the benefits of using Nouveua modesetting, the virtual terminals are no longer messed-up due to the proprietary NVidia drivers.  I've also switched my Kepler (GTX 670) NVidia X64 platform to Nouveau within the past few days, after I'm amazingly found almost all of the features working, including VDPAU acceleration.

Might want to give Nouveau a try, if you have one of these cards.

(Working on debugging a CPU spinlock with xorg-server currently though.  Everything else appears stable or at least working.)

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-23 13:34:40 UTC

@ Maintainer(s): Please remove or p.mask (with a notice indicating a security problem)

=x11-drivers/nvidia-drivers-173.14.39-r1
=x11-drivers/nvidia-drivers-96.43.23-r1

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2016-11-27 12:03:04 UTC

package.mask is good.

@maintainer(s), thanks.