Bug#772974: marked as done (src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098))

Tue, 16 Dec 2014 16:36:43 -0800 

Your message dated Wed, 17 Dec 2014 00:34:23 +0000
with message-id <[email protected]>
and subject line Bug#772974: fixed in nvidia-graphics-drivers-legacy-304xx 
304.125-1
has caused the Debian Bug report #772974,
regarding src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including 
CVE-2014-8093, CVE-2014-8098)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
772974: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772974
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: nvidia-graphics-drivers
Severity: critical
Tags: security

This is the NVIDIA-specific part of 
DSA-3095-1 xorg-server -- security update

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8298

The NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before
R331.113, R340.x before R340.65, R343.x before R343.36, and R346.x
before R346.22, Lixux for Tegra (L4T) driver before R21.2, and Chrome OS
driver before R40 allows remote attackers to cause a denial of service
(segmentation fault and X server crash) or possibly execute arbitrary
code via a crafted GLX indirect rendering protocol request. 

http://lists.x.org/archives/xorg-announce/2014-December/002500.html
http://nvidia.custhelp.com/app/answers/detail/a_id/3610

Release series                  fixed in version
--------------                  ----------------
Releases prior to 304           Has reached 'end of life' and no longer 
supported.
304.*                           304.125 available as of 12/9
319.*                           no longer supported
331.*                           331.113 available as of 12/9
340.*                           340.65 available as of 12/9
343.*                           343.36 available as of 12/9
346.*                           346.22 Beta available as of 12/9

All NVIDIA drivers (in non-free) are affected:

not fixable (no new upstream release will be provided):
 nvidia-graphics-drivers-legacy-96xx  | 96.43.18-2          | squeeze/non-free  
         | source
 nvidia-graphics-drivers-legacy-96xx  | 96.43.23-3          | wheezy/non-free   
         | source
 nvidia-graphics-drivers-legacy-96xx  | 96.43.23-7~bpo70+1  | 
wheezy-backports/non-free  | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.27-2         | squeeze/non-free  
         | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.35-1~bpo60+2 | 
squeeze-backports/non-free | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.35-4         | wheezy/non-free   
         | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.39-2~bpo70+1 | 
wheezy-backports/non-free  | source
 nvidia-graphics-drivers              | 195.36.31-6squeeze2 | squeeze/non-free  
         | source
 nvidia-graphics-drivers              | 295.59-1~bpo60+2    | 
squeeze-backports/non-free | source

uploads planned (new upstream release required):
 nvidia-graphics-drivers              | 304.117-1           | wheezy/non-free   
         | source
 nvidia-graphics-drivers-legacy-304xx | 304.123-4~bpo70+1   | 
wheezy-backports/non-free  | source
 nvidia-graphics-drivers-legacy-304xx | 304.123-4           | jessie/non-free   
         | source
 nvidia-graphics-drivers-legacy-304xx | 304.123-4           | sid/non-free      
         | source
 nvidia-graphics-drivers              | 319.82-1~bpo70+2    | 
wheezy-backports/non-free  | source
 nvidia-graphics-drivers              | 340.46-6            | jessie/non-free   
         | source
 nvidia-graphics-drivers              | 340.58-1            | sid/non-free      
         | source
 nvidia-graphics-drivers              | 343.22-2            | 
experimental/non-free      | source

I expect wheezy (only nvidia-graphics-drivers can be fixed there)
shall be fixed via wheezy-proposed-updates, no DSA, as in the previous ones?


Andreas

--- End Message ---
--- Begin Message --- 
Source: nvidia-graphics-drivers-legacy-304xx
Source-Version: 304.125-1

We believe that the bug you reported is fixed in the latest version of
nvidia-graphics-drivers-legacy-304xx, which is due to be installed in the 
Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann <[email protected]> (supplier of updated 
nvidia-graphics-drivers-legacy-304xx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 17 Dec 2014 01:05:07 +0100
Source: nvidia-graphics-drivers-legacy-304xx
Binary: nvidia-legacy-304xx-driver xserver-xorg-video-nvidia-legacy-304xx 
libgl1-nvidia-legacy-304xx-glx libgl1-nvidia-legacy-304xx-glx-i386 
nvidia-legacy-304xx-alternative nvidia-legacy-304xx-kernel-dkms 
nvidia-legacy-304xx-kernel-source
Architecture: source
Version: 304.125-1
Distribution: unstable
Urgency: medium
Maintainer: Debian NVIDIA Maintainers <[email protected]>
Changed-By: Andreas Beckmann <[email protected]>
Description:
 libgl1-nvidia-legacy-304xx-glx - NVIDIA binary OpenGL 
libraries${nvidia:LegacyDesc}
 libgl1-nvidia-legacy-304xx-glx-i386 - NVIDIA binary OpenGL 32-bit 
libraries${nvidia:LegacyDesc}
 nvidia-legacy-304xx-alternative - allows the selection of NVIDIA as GLX 
provider
 nvidia-legacy-304xx-driver - NVIDIA metapackage${nvidia:LegacyDesc}
 nvidia-legacy-304xx-kernel-dkms - NVIDIA binary kernel module DKMS 
source${nvidia:LegacyDesc}
 nvidia-legacy-304xx-kernel-source - NVIDIA binary kernel module 
source${nvidia:LegacyDesc}
 xserver-xorg-video-nvidia-legacy-304xx - NVIDIA binary Xorg 
driver${nvidia:LegacyDesc}
Closes: 772974
Changes:
 nvidia-graphics-drivers-legacy-304xx (304.125-1) unstable; urgency=medium
 .
   * New upstream legacy 304xx branch release 304.125 (2014-12-05).
     * Fixes CVE-2014-8298.  (Closes: #772974)
     - Added support for X.Org xserver ABI 19 (xorg-server 1.17).
     - Improved compatibility with recent Linux kernels.
     - Implemented support for disabling indirect GLX context creation using
       the -iglx option available on X.Org server release 1.16 and newer.  Note
       that future X.Org server releases may make the -iglx option the default.
       To re-enable support for indirect GLX on such servers, use the +iglx
       option.
     - Added the "AllowIndirectGLXProtocol" X config option.  This option can
       be used to disallow use of GLX protocol.  See "Appendix B. X Config
       Options" in the README for more details.
   * Synchronize packaging with nvidia-graphics-drivers 340.65-2:
   * Synchronize packaging with nvidia-graphics-drivers 340.46-5:
     - nvidia-alternative: Ship /usr/share/nvidia (slave alternative location).
     - README.source: Document the nks-history.git repository.
     - bug-script: Collect more information.
   * Synchronize packaging with nvidia-graphics-drivers 340.46-4:
     - d/rules: Add #!armhf# and #!legacy# substitutions.
   * Synchronize packaging with nvidia-graphics-drivers 304.125-1:
     - Add xorg-video-abi-19 as alternative dependency.
   * conftest.h:
     - Implement check for drm/drm_gem.h (340.58).
     - Implement new conftest.sh functions pci_save_state (340.58), follow_pfn,
       fault_flags, atomic64_type (346.16).
Checksums-Sha1:
 6cb6e8c3da5281d7611571ae5402981e3c369ac2 3054 
nvidia-graphics-drivers-legacy-304xx_304.125-1.dsc
 514d0ac98ab659d287ba1d50cd1cfd33301324d8 106359926 
nvidia-graphics-drivers-legacy-304xx_304.125.orig.tar.gz
 d471ccd48079736a31217587023c9d553f84cf86 82760 
nvidia-graphics-drivers-legacy-304xx_304.125-1.debian.tar.xz
Checksums-Sha256:
 2063308633af7dee49b078468ebed4943b21bac36a9cc111480a3dc8ee3c50f6 3054 
nvidia-graphics-drivers-legacy-304xx_304.125-1.dsc
 0435ea1d6253d878d1c761258c99c0785f53e177c5c8a6a55440de01ff63b648 106359926 
nvidia-graphics-drivers-legacy-304xx_304.125.orig.tar.gz
 38b912650be907ef7dc2a99080348e2ff73594883ffc1205f1e07271c33e3a6f 82760 
nvidia-graphics-drivers-legacy-304xx_304.125-1.debian.tar.xz
Files:
 791bddb098cd66df1dc746cd02f2163c 3054 non-free/libs optional 
nvidia-graphics-drivers-legacy-304xx_304.125-1.dsc
 ca6abfccfbd42ac5cbf735c1dd83765c 106359926 non-free/libs optional 
nvidia-graphics-drivers-legacy-304xx_304.125.orig.tar.gz
 f87866a3c6fc972c74ad355ae2cf4aa8 82760 non-free/libs optional 
nvidia-graphics-drivers-legacy-304xx_304.125-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUkMy2AAoJEF+zP5NZ6e0IqJ8QAJovtROK/hpPcEnM2CbC3SBT
jsF0fDDk6KgeGhSmCbKfyQbe+InFiV1fWluHo7Z2PnBlYtHuZSQ8qyKJh5zdALpB
4pJjzIEmuJGS/eJBuZjvbA33ydHBL+B+rg6E5w4C1TMWhDVlV2uSqeBekrZ0EhZt
zyNCwHMYwyjXxelWfw7+di/2uAk3M0wzy3rqVH9C3E5vOTAkv1YwgD+MRU21GhJr
fqaL24AiUz2AwUzn+p5clLpNa4MDPEhEWbczMAqXJsHtgUB7Ed87HnV+HFMrVq0K
08zvS3aEVCm0ar9txyrl6zbnY01t9cYHKxuG+Wqe1hAeAgVZBtrgTmnkT0/Faa30
aXcKqX/NOz2QXim0c+lHkemC3EPtg23Xvy8q0eeS6ifq1j/W4J7UUQMiJyFzS2vV
5jssG38XCoTR7KFEoU5wo3xS38wG575TS8TccLM7IY4Tnm1uIrjcB5VrjsdrIusY
ffh5LV83i7JSXs58cma7cvzK3+4bNqyNmuyvOYqte3XdfbTk0BhFT5RW7Hyi0UX7
73Mhkn4gY9dB7zrQ17pBi7j2X0kgceFTsB9aoXvMZbDliFUpvOWXLWUR339NVdNK
SDGsfZc8d4RG6ZcUuI17Zps4aD+6TYbjKpLzIO/ByGTQFTeQ/V245pzT5OKy/43Z
Oj/T9NBxf7gAIPFHEPsF
=k8Qx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to