Bug#855279: nvidia-graphics-drivers: CVE-2017-0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0321, CVE-2017-0318

Luca Boccassi luca.boccassi at gmail.com
Thu Feb 16 23:54:08 UTC 2017


On Thu, 2017-02-16 at 11:06 +0000, Luca Boccassi wrote:
> On Thu, 16 Feb 2017 11:50:27 +0100 Andreas Beckmann <anbe at debian.org>
> wrote:
> > Source: nvidia-graphics-drivers
> > Version: 343.22-1
> > Severity: serious
> > Tags: security
> > Control: found -1 1.0.4363-1
> > Control: found -1 310.14-1
> > Control: clone -1 -2 -3
> > Control: reassign -2 src:nvidia-graphics-drivers-legacy-340xx
> > 340.76-6
> > Control: retitle -2 nvidia-graphics-drivers-legacy-340xx: CVE-2017-
> > 0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0321, CVE-2017-0318
> > Control: reassign -3 src:nvidia-graphics-drivers-legacy-304xx
> > 304.108-2
> > Control: retitle -3 nvidia-graphics-drivers-legacy-304xx: CVE-2017-
> > 0309, CVE-2017-0310, CVE-2017-0311, CVE-2017-0321, CVE-2017-0318
> > 
> > http://nvidia.custhelp.com/app/answers/detail/a_id/4398
> > 
> > CVE-2017-0309
> > 
> > NVIDIA GPU Display Driver contains a vulnerability in the kernel
> > mode
> > layer handler where multiple integer overflows may cause improper
> > memory
> > allocation, which may lead to a denial of service or potential
> > escalation of privileges.
> > 
> > CVE-2017-0310
> > 
> > NVIDIA GPU Display Driver contains a vulnerability in the kernel
> > mode
> > layer handler where improper access controls allow an unprivileged
> > user
> > to cause a denial of service.
> > 
> > CVE-2017-0311
> > 
> > NVIDIA GPU Display Driver contains a vulnerability in the kernel
> > mode
> > layer handler where improper access control may lead to a denial of
> > service or possible escalation of privileges.
> > 
> > CVE-2017-0321
> > 
> > NVIDIA GPU Display Driver contains a vulnerability in the kernel
> > mode
> > layer handler where a NULL pointer dereference caused by invalid
> > user
> > input may lead to a denial of service or potential escalation of
> > privileges.
> > 
> > CVE-2017-0318
> > 
> > NVIDIA Linux GPU Display Driver contains a vulnerability in the
> > kernel
> > mode layer handler where improper validation of an input parameter
> > may
> > cause a denial of service on the system.
> > 
> > 
> > Andreas
> 
> It did look very suspicious that they released all those new versions
> all at the same time, and with a one-line changelog for 340.xx and
> 304.xx... Now I see why!
> 
> I assume we'll get an exception for Stretch, but I'd still like to
> keep
> the new patches to support kernel 4.10, do you think that's all
> right?
> 
> Work on 304 and 340 is done in the respective branches (haven't ran
> 340
> yet, just tested modules builds). I'll finish working on 375 tonight
> and
> give both a spin.
> 
> Kind regards,
> Luca Boccassi

Uploaded patches to trunk for 375. Gave it a quick spin and OpenGL and
OpenCL seem to work fine on Gnome 3.

Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20170216/4c0d36df/attachment.sig>


More information about the pkg-nvidia-devel mailing list