wheezy update of nvidia-graphics-drivers 304.xx?
Andreas Beckmann
anbe at debian.org
Tue Dec 20 00:29:38 UTC 2016
Hi,
we recently had some CVEs in the nvidia-graphics-drivers (the non-free
blob driver) that would require updating to a new upstream release:
* New upstream legacy 304xx branch release 304.134 (2016-12-14).
* Fixed CVE-2016-8826. (Closes: #848195)
- Added support for X.Org xserver ABI 23 (xorg-server 1.19)
* New upstream legacy 304xx branch release 304.132 (2016-09-26).
* Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846331)
- Added /var/log/dmesg to the list of paths which are searched by
nvidia-bug-report.sh for kernel messages.
- Fixed a bug that caused kernel panics when using the NVIDIA driver on
v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS.
In sid this driver series is available as nvidia-graphics-drivers-
legacy-304xx, and unfortunately we already had a regression report
there: #848790
For jessie, security bugs in the nonfree drivers are always handled as
no-dsa via stable-proposed-updates, but that way doesn't exist for
wheezy. How should we proceed here?
I have a package sitting in svn that could be uploaded to wheezy,
diffstat (packaging only) as follows:
README.alternatives | 2
README.source | 14
TODO | 2
bug-control.in | 3
bug-control.mk | 56
bug-script | 20
build-module-packages.sh.in | 2
changelog | 142 +
control | 250 +--
control.kmod | 4
control.models | 2
copyright | 8
detect/nvidia-195.ids | 353 ----
detect/nvidia-295.ids | 500 ------
detect/nvidia-detect.in | 82 -
libcuda1.lintian-overrides.in | 15
libcuda1.postinst.in | 2
libgl1-nvidia-glx.lintian-overrides.in | 5
libgl1-nvidia-glx.postinst.in | 2
libgl1-nvidia-glx.prerm.in | 3
libnvcuvid1.lintian-overrides | 5
libnvidia-compiler.lintian-overrides.in | 19
libnvidia-ml1.lintian-overrides | 7
libxvmcnvidia1.lintian-overrides.in | 6
module/Makefile | 179 --
module/conftest.h | 783 ----------
module/conftest.sh | 7
module/debian/control.template.in | 14
module/debian/install.template | 1
module/debian/install.template.in | 1
module/debian/lintian-overrides | 2
module/debian/patches/KERNEL_UNAME.patch | 29
module/debian/patches/avoid-ld.gold.patch | 16
module/debian/patches/build-sanity-checks.patch | 30
module/debian/patches/conditionally-include-linux_version.h.patch | 21
module/debian/patches/conftest-verbose.patch | 66
module/debian/patches/conftest-via-kbuild.patch | 40
module/debian/patches/disable-cc_version_check.patch | 14
module/debian/patches/disable-mtrr.patch | 25
module/debian/patches/disable-xen_sanity_check.patch | 15
module/debian/patches/linux3.patch | 18
module/debian/patches/modernize-conftest.patch | 121 +
module/debian/patches/not-silent.patch | 100 +
module/debian/patches/separate-makefile-kbuild.patch | 106 +
module/debian/patches/series | 5
module/debian/patches/series.in | 20
module/debian/patches/use-kbuild-compiler.patch | 24
module/debian/patches/use-kbuild-flags.patch | 22
module/debian/patches/use-nv-kernel-ARCH.o_shipped.patch | 21
module/debian/patches/use-nv-kernel.o.ARCH.patch | 18
module/debian/rules | 129 -
module/debian/rules.in | 138 +
module/patches.h | 5
nvidia-alternative.postinst.in | 8
nvidia-alternative.preinst | 3
nvidia-alternative.prerm.in | 3
nvidia-alternative.triggers.in | 2
nvidia-cuda-proxy.dirs | 1
nvidia-cuda-proxy.install | 2
nvidia-cuda-proxy.lintian-overrides | 3
nvidia-cuda-proxy.manpages | 1
nvidia-detect.install | 3
nvidia-detect.install.in | 3
nvidia-glx.README.Debian.in | 2
nvidia-kernel-dkms.dkms | 13
nvidia-kernel-dkms.dkms.in | 14
nvidia-kernel-dkms.lintian-overrides | 8
nvidia-kernel-source.README.Debian.in | 26
nvidia-libopencl1.lintian-overrides | 5
nvidia-opencl-icd.lintian-overrides.in | 9
nvidia-smi.install | 1
nvidia-smi.install.in | 1
nvidia-smi.lintian-overrides | 5
nvidia-smi.lintian-overrides.in | 8
nvidia-vdpau-driver.lintian-overrides | 3
nvidia-vdpau-driver.postinst | 2
rules | 253 +--
rules.defs | 24
xserver-xorg-video-nvidia.lintian-overrides.in | 2
xserver-xorg-video-nvidia.postinst.in | 2
80 files changed, 1409 insertions(+), 2472 deletions(-)
Since the packaging of nvidia-graphics-drivers (wheezy, jessie,
stretch, sid), nvidia-graphics-drivers-legacy-340xx (stretch, sid) and
nvidia-graphics-drivers-legacy-304xx (jessie, stretch, sid) is strongly
correlated, this contains a lot of small changes backported from jessie
and newer to wheezy. This allows comparing the packaging of the
different versions to be sure fixes haven't been ported only partially.
The bigger changes here are:
* drop backward compatibility with lenny and squeeze (EoL)
* switch from manually maintained conftest.h (that needed updates for
each upstream release) to using upstream's conftest.sh for the kernel
module build, including backporting corresponding module build
infrastructure fixes
* change layout of the source package (now one .orig-$ARCH.tar.gz per
architecture)
There are no new packages being introduced (nor old ones disappearing).
The package builds and installs fine in wheezy, the kernel module
builds for wheezy and newer kernels. Unfortunately the Debian NVIDIA
Maintainers cannot do any further testing, since we do not have NVIDIA
GPUs requiring that legacy driver version.
As a followup an upgrade of the precompiled kernel modules in
nvidia-graphics-modules will be needed, therefore I would use
the version number 304.134-1 for the upload to avoid version number
string explosion in nvidia-graphics-modules. (This version was never
used before for nvidia-graphics-drivers.)
The full changelog entry from svn follows, annotated with the version
where each individual change appeared in sid:
nvidia-graphics-drivers (304.134-1) UNRELEASED; urgency=medium
* New upstream legacy 304xx branch release 304.134 (2016-12-14).
* Fixed CVE-2016-8826. (Closes: #848195)
- Added support for X.Org xserver ABI 23 (xorg-server 1.19)
* Improved compatibility with recent Linux kernels.
* New upstream legacy 304xx branch release 304.132 (2016-09-26).
* Fixed CVE-2016-7382, CVE-2016-7389. (Closes: #846331)
- Added /var/log/dmesg to the list of paths which are searched by
nvidia-bug-report.sh for kernel messages.
- Fixed a bug that caused kernel panics when using the NVIDIA driver on
v4.5 and newer Linux kernels built with CONFIG_DEBUG_VM_PGFLAGS.
* Improved compatibility with recent Linux kernels.
[ Andreas Beckmann ]
* Drop substitution backward-compatibility with EoL
nvidia-graphics-drivers-legacy-173xx and
nvidia-graphics-drivers-legacy-96xx in favor of a reduced diff to
nvidia-graphics-drivers-legacy-304xx and newer (304.88-5).
* Stop special-casing of the nvidia-alternative substitution (352.79-6).
* rules: Drop support for ancient .run layout (352.79-4).
* Drop support for backporting to squeeze (EoL) (304.88-4).
* nvidia-detect: Drop support for lenny and squeeze(-lts) (EoL) (352.79-5).
* Do not run dh_strip_nondeterminism, it may perform modifications not
permitted by the NVIDIA license (340.96-4).
* nvidia-glx, nvidia-kernel-*: Report the latest tested Linux version
that can build the kernel module in the package description (340.76-3).
* nvidia-kernel-source: Use reproducible timestamps and file order inside
/usr/src/nvidia-kernel.tar.bz2 (340.76-1).
* rules, rules.defs: Synchronize variable naming with unstable (352.79-3).
* rules, control: Synchronize substvars with unstable (352.79-3).
* get-orig-source: Synchronize with unstable (352.79-3).
* get-orig-source: Generate .orig-$ARCH.tar.gz for each architecture
(358.16-1).
* control: Synchronize descriptions with unstable.
* bug-script: Synchronize with unstable (352.79-3).
* bug-control.mk: New script to generate bug-control (352.79-4).
* bug-control, bug-script: Collect some information about OpenCL (352.79-6).
* Use nvidia:kmod:binary and nvidia:kmod:source substvars (304.88-5).
* Use an empty nvidia:legacy-check substvar for legacy packages (352.79-6).
* use-nv-kernel-ARCH.o_shipped.patch: Synchronize with unstable (304.88-5).
* separate-makefile-kbuild.patch: New, don't make all Makefile targets
available to Kbuild (352.79-6).
* KERNEL_UNAME.patch: New, allow usage of KERNEL_UNAME as in 355.xx onwards
(352.79-6).
* modernize-conftest.patch: Update the conftest.sh build_cflags() function
to the one from 352.79.
* use-kbuild-compiler.patch: New patch to build with Kbuild's version of the
compiler instead of system default, thanks to Luca (352.79-2).
* Use NVIDIA's conftest.sh script to determine settings during module build
instead of our manually maintained conftest.h header (352.79-2).
* conftest-verbose.patch: New patch to dump dynamically generated conftest
headers (352.79-2).
* conftest-via-kbuild.patch: New patch to call conftest.sh from within
kbuild (and therefore with kbuild's compiler and flags) as in 355.xx
(352.79-2).
* use-kbuild-flags.patch: New, use KBUILD_CFLAGS from Kbuild to
support building a 64-bit kernel module with 32-bit userspace (352.79-5).
* build-sanity-checks.patch: New, handle the conftest.sh sanity checks in
the modernized module build system (352.79-6).
* disable-cc_version_check.patch: New patch to disable a useless check that
tests the running kernel instead of the compilation target.
* Disable conftest.sh check xen_sanity_check.
* Pass only the kernel version via KERNEL_UNAME and let the module build
system figure out the paths (352.79-2).
* Clear ARCH variable from environment before module build, thanks to Luca
(352.79-2, 352.79-5).
* control: Synchronize descriptions with unstable (370.28-2).
* Add xorg-video-abi-23 as alternative dependency (375.20-1).
* Bump Standards-Version to 3.9.8. No changes needed.
* Update lintian overrides.
[ Luca Boccassi ]
* Add disable-mtrr.patch to disable MTRR in the kernel module if
building on 4.3 or greater, where the deprecated APIs the kernel module
uses are no longer exported, causing a failure when the module is
loaded at runtime. (Closes: #809324)
-- Andreas Beckmann <anbe at debian.org> Thu, 15 Dec 2016 02:42:52 +0100
Andreas
More information about the pkg-nvidia-devel
mailing list