Bug#913467: nvidia-graphics-drivers: CVE‑2018‑6260: access to application data processed on the GPU through a side channel exposed by the GPU performance counters

Luca Boccassi bluca at debian.org
Mon Feb 18 23:15:56 GMT 2019


On Mon, 2019-02-18 at 22:57 +0100, Moritz Mühlenhoff wrote:
> On Mon, Nov 12, 2018 at 02:36:23PM +0000, Luca Boccassi wrote:
> > On Mon, 2018-11-12 at 13:47 +0100, Andreas Beckmann wrote:
> > > On 2018-11-11 13:54, Luca Boccassi wrote:
> > > > https://nvidia.custhelp.com/app/answers/detail/a_id/4738
> > > 
> > > So we expect new releases soon. There is already 415.* ...
> > > 
> > > Please refrain from any uploads for now while I'm preparing
> > > infrastructure changes. I'll do a 390.87-3 upload soon,
> > > thereafter
> > > you
> > > could update that in sid. If there are some pkern commits in the
> > > repository, use them, if not, they will come with -2.
> > > 
> > > (Procedure in 390:
> > > do all commits incl. finalization of changelog in 390
> > > merge into master
> > > upload from master
> > > )
> > > 
> > > Andreas
> > 
> > Ok, I see -3 is now in unstable (thanks!) so if something comes out
> > for
> > the 390 branch I'll follow that procedure and upload to unstable
> > from
> > master.
> > 
> > What about -legacy-390xx?
> > 
> > > PS: finally a reason to push 390 to stretch, lets do it soon at
> > > the
> > > beginning of the new point release cycle
> > 
> > Yes, sounds good, 384 is not maintained anymore.
> 
> I'm confused by all the branches in buster. Can you please confirm
> which are fixed for CVE-2018-6260 and which are not? (And if so,
> which
> version in sid fixed it):
> 
> nvidia-graphics-drivers: 390.87-8 (sid: 410.93-2)
> nvidia-graphics-drivers-legacy-390xx: 390.87-6 (sid the same)
> nvidia-graphics-drivers-legacy-340xx: 340.107-3 (sid the same)
> nvidia-graphics-drivers-legacy-304xx: not in testing

Unfortunately we have no idea - NVIDIA's security tracker was never
updated after the initial mention of the CVE:

https://nvidia.custhelp.com/app/answers/detail/a_id/4738

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-nvidia-devel/attachments/20190218/6428f194/attachment.sig>


More information about the pkg-nvidia-devel mailing list