Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 903614 (CVE-2023-0180, CVE-2023-0181, CVE-2023-0183, CVE-2023-0184, CVE-2023-0185, CVE-2023-0187, CVE-2023-0188, CVE-2023-0189, CVE-2023-0190, CVE-2023-0191, CVE-2023-0194, CVE-2023-0195, CVE-2023-0198, CVE-2023-0199) - <x11-drivers/nvidia-drivers-{470.182.03:0/470,515.105.01:0/515,525.105.17:0/525,530.41.03:0/530}: multiple vulnerabilities
Summary: <x11-drivers/nvidia-drivers-{470.182.03:0/470,515.105.01:0/515,525.105.17:0/5...
Status: RESOLVED FIXED
Alias: CVE-2023-0180, CVE-2023-0181, CVE-2023-0183, CVE-2023-0184, CVE-2023-0185, CVE-2023-0187, CVE-2023-0188, CVE-2023-0189, CVE-2023-0190, CVE-2023-0191, CVE-2023-0194, CVE-2023-0195, CVE-2023-0198, CVE-2023-0199
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvidia.custhelp.com/app/answe...
Whiteboard: A1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-31 00:26 UTC by Ionen Wolkens
Modified: 2023-10-03 12:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2023-03-31 00:26:36 UTC
nvidia-drivers:0/390 is not listed but most likely affected, it has reached EOL and nvidia is no longer listing/tracking it. It'll be kept in tree (for old hardware to use) but is now masked with a security notice like the 0/vulkan branch.

fwiw the only 0/530 that was affected was never keyworded, and been dropped a while ago.

Fixed versions are already in tree, waiting on 3x stable + cleanup.

CVE-2023-0180:
NVIDIA GPU Display Driver for Linux contains a vulnerability in a kernel mode layer handler, which may lead to denial of service or information disclosure.

CVE-2023-0181:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in a kernel mode layer handler, where memory permissions are not correctly checked, which may lead to denial of service and data tampering.

CVE-2023-0184:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.

CVE-2023-0183:
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer where an out-of-bounds write can lead to denial of service and data tampering.

CVE-2023-0185:
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where sign conversion issues may lead to denial of service or information disclosure.

CVE-2023-0187:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read can lead to denial of service.

CVE-2023-0188:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged user can cause an out-of-bounds read, which may lead to denial of service.

CVE-2023-0189:
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVE-2023-0190:
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a NULL pointer dereference may lead to denial of service.

CVE-2023-0191:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds access may lead to denial of service or data tampering.

CVE-2023-0194:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to denial of service.

CVE-2023-0195:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer driver, where an invalid display configuration may lead to information disclosure.

CVE-2023-0198:
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where improper restriction of operations within the bounds of a memory buffer can lead to denial of service, information disclosure, and data tampering.

CVE-2023-0199:
NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds write can lead to denial of service and data tampering.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-05 13:25:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a8a8578822f99f0a63da6c06c9bce4b1c36a756

commit 1a8a8578822f99f0a63da6c06c9bce4b1c36a756
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-04-05 12:44:09 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-04-05 13:22:29 +0000

    x11-drivers/nvidia-drivers: drop 470.161.03, 515.86.01, 525.89.02
    
    Clears up all vulnerable versions wrt bug #903614, not counting
    the ones that are permanently masked (so, all done tree-wise).
    
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/Manifest                |  22 -
 .../nvidia-drivers-470.161.03.ebuild               | 576 -------------------
 .../nvidia-drivers/nvidia-drivers-515.86.01.ebuild | 633 ---------------------
 .../nvidia-drivers/nvidia-drivers-525.89.02.ebuild | 631 --------------------
 4 files changed, 1862 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d188b120bf5ace93676cfc42a37fc27148996166

commit d188b120bf5ace93676cfc42a37fc27148996166
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-04-05 12:43:09 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-04-05 13:21:53 +0000

    x11-drivers/nvidia-drivers: stabilize 525.105.17 for amd64
    
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-525.105.17.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0cbabff70d6e3925de598587f814a37f5c21a1c

commit e0cbabff70d6e3925de598587f814a37f5c21a1c
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-04-05 12:42:46 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-04-05 13:21:52 +0000

    x11-drivers/nvidia-drivers: stabilize 515.105.01 for amd64
    
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-515.105.01.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=629d57db807f5382494367734a16eb6a73f26e52

commit 629d57db807f5382494367734a16eb6a73f26e52
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2023-04-05 12:42:24 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2023-04-05 13:21:52 +0000

    x11-drivers/nvidia-drivers: stabilize 470.182.03 for amd64
    
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 x11-drivers/nvidia-drivers/nvidia-drivers-470.182.03.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 22:56:01 UTC
Thank you!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-31 04:16:51 UTC
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2023-10-03 12:47:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e0200868c5e75eb57e7355dc8786db0f79271aa3

commit e0200868c5e75eb57e7355dc8786db0f79271aa3
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-03 12:45:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-03 12:47:03 +0000

    [ GLSA 202310-02 ] NVIDIA Drivers: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/764512
    Bug: https://bugs.gentoo.org/784596
    Bug: https://bugs.gentoo.org/803389
    Bug: https://bugs.gentoo.org/832867
    Bug: https://bugs.gentoo.org/845063
    Bug: https://bugs.gentoo.org/866527
    Bug: https://bugs.gentoo.org/881341
    Bug: https://bugs.gentoo.org/884045
    Bug: https://bugs.gentoo.org/903614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202310-02.xml | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)