Late filing given missed it (looked around August 2 while bumping but it wasn't up yet) Fixed versions already stabled and vulnerable been dropped either way (may or may not be fixed in yesterday's vulkan branch 515.49.14:0/vulkan, but that's permanently masked with a security warning either way). CVE-2022-31607: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of privileges, data tampering, and limited information disclosure. CVE-2022-31608: NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. About ^ for Gentoo: Like a few other distros, that dbus file was non-optional and installed to /usr/share/dbus-1/system.d for versions between 510.39.01 to 510.73.05 (was also in 515.43.07 but that version was never keyworded), but was later moved to /usr/share/doc over potential concerns (which in part became this CVE), so 510.73.05-r1 and all keyworded 515.xx were not affected unless users copied themselves. Was reinstated as a default in the current fixed versions. CVE-2022-31615: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.
>may or may not be fixed in yesterday's vulkan branch 515.49.14:0/vulkan, >but that's permanently masked with a security warning either way Well, given can look at that one, can confirm at least the dbus file been fixed since the earlier 515.49.10:0/vulkan
Thank you for filing!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3 commit e0200868c5e75eb57e7355dc8786db0f79271aa3 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-03 12:45:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-03 12:47:03 +0000 [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/764512 Bug: https://bugs.gentoo.org/784596 Bug: https://bugs.gentoo.org/803389 Bug: https://bugs.gentoo.org/832867 Bug: https://bugs.gentoo.org/845063 Bug: https://bugs.gentoo.org/866527 Bug: https://bugs.gentoo.org/881341 Bug: https://bugs.gentoo.org/884045 Bug: https://bugs.gentoo.org/903614 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+)