Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 881341 (CVE-2022-34666, CVE‑2022‑34665) - <x11-drivers/nvidia-drivers-{390.154:0/390,470.141.03:0/470,510.85.02:0/510,515.65.01:0/515}: multiple vulnerabilities
Summary: <x11-drivers/nvidia-drivers-{390.154:0/390,470.141.03:0/470,510.85.02:0/510,5...
Status: RESOLVED FIXED
Alias: CVE-2022-34666, CVE‑2022‑34665
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://nvidia.custhelp.com/app/answe...
Whiteboard: A3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-14 22:25 UTC by John Helmert III
Modified: 2023-10-03 15:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 22:25:31 UTC
Details at URL. The table "CVE IDs Addressed in Each
Linux Driver Branch" only lists CVE-2022-31607, CVE-2022-31608, and
CVE-2022-31615 as addressed. Did they only address a subset of the
CVEs they've assigned?

Looks like at least some fixes are in 390.154, 470.141.03, 510.85.02,
and 515.65.01. Tree seems good, if all of the CVEs are addressed.
Comment 1 Ionen Wolkens gentoo-dev 2022-11-15 02:53:28 UTC
They're listed as fixed in the vGPU software table lower down with associated driver versions.

It's possible the fix is "in the drivers" but happened only when using virtual gpus in VMs. We don't package vGPU software, but guess no guarantee we're not affected if it's drivers.

Doesn't mention 390 but 390 is unusable for this afaik (on that note, next time there's vulnerabilities odds are 390 will be masked w/ security notice given nvidia won't report about 390.xx anymore in 2023 with the end of support -- eventually will be due for removal when it start causing more issues).
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-31 04:17:11 UTC
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2023-10-03 12:47:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3

commit e0200868c5e75eb57e7355dc8786db0f79271aa3
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-03 12:45:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-03 12:47:03 +0000

    [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/764512
    Bug: https://bugs.gentoo.org/784596
    Bug: https://bugs.gentoo.org/803389
    Bug: https://bugs.gentoo.org/832867
    Bug: https://bugs.gentoo.org/845063
    Bug: https://bugs.gentoo.org/866527
    Bug: https://bugs.gentoo.org/881341
    Bug: https://bugs.gentoo.org/884045
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)