Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

nvidia-cuda-toolkit: CVE-2020-5991

Related Vulnerabilities: CVE-2020-5991  

Source

Debian Bug report logs - #973543
nvidia-cuda-toolkit: CVE-2020-5991

version graph

Package: src:nvidia-cuda-toolkit; Maintainer for src:nvidia-cuda-toolkit is Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 1 Nov 2020 14:54:02 UTC

Severity: grave

Tags: security, upstream

Found in versions nvidia-cuda-toolkit/10.2.89-5, nvidia-cuda-toolkit/10.0.130-1

Fixed in version nvidia-cuda-toolkit/11.1.1-1

Done: Andreas Beckmann <anbe@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>:
Bug#973543; Package src:nvidia-cuda-toolkit. (Sun, 01 Nov 2020 14:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>. (Sun, 01 Nov 2020 14:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nvidia-cuda-toolkit: CVE-2020-5991
Date: Sun, 01 Nov 2020 15:51:12 +0100
Source: nvidia-cuda-toolkit
Version: 10.2.89-5
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for nvidia-cuda-toolkit.

I have no further details apart what is in [1], which seem to indicate
Operating System Windows only. Do you find more information on that?
If this is confirmed that it only affects nvidia-cuda-toolkit on
windows then feel free to close the bug accordingly, otherwise
probably an update to 11.1.1 in unstable would be good.

CVE-2020-5991[0]:
| NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a
| vulnerability in the NVJPEG library in which an out-of-bounds read or
| write operation may lead to code execution, denial of service, or
| information disclosure.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-5991
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5991
[1] https://nvidia.custhelp.com/app/answers/detail/a_id/5094

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>:
Bug#973543; Package src:nvidia-cuda-toolkit. (Tue, 03 Nov 2020 18:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>. (Tue, 03 Nov 2020 18:54:03 GMT) (full text, mbox, link).

Message #10 received at 973543@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 973543@bugs.debian.org
Subject: Re: Bug#973543: nvidia-cuda-toolkit: CVE-2020-5991
Date: Tue, 3 Nov 2020 19:49:59 +0100
Control: found -1 10.0.130-1

On 11/1/20 3:51 PM, Salvatore Bonaccorso wrote:
> The following vulnerability was published for nvidia-cuda-toolkit.
> 
> I have no further details apart what is in [1], which seem to indicate
> Operating System Windows only. Do you find more information on that?

That's also all I could find so far. But I can't really imagine that the
NVJPEG library has windows specific code ... (unlike some driver
components). So working towards 11.1...


Andreas

Marked as found in versions nvidia-cuda-toolkit/10.0.130-1. Request was from Andreas Beckmann <anbe@debian.org> to 973543-submit@bugs.debian.org. (Tue, 03 Nov 2020 18:54:03 GMT) (full text, mbox, link).

Reply sent to Andreas Beckmann <anbe@debian.org>:
You have taken responsibility. (Thu, 12 Nov 2020 22:48:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 12 Nov 2020 22:48:04 GMT) (full text, mbox, link).

Message #17 received at 973543-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 973543-close@bugs.debian.org
Subject: Bug#973543: fixed in nvidia-cuda-toolkit 11.1.1-1
Date: Thu, 12 Nov 2020 22:45:51 +0000
Source: nvidia-cuda-toolkit
Source-Version: 11.1.1-1
Done: Andreas Beckmann <anbe@debian.org>

We believe that the bug you reported is fixed in the latest version of
nvidia-cuda-toolkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated nvidia-cuda-toolkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Nov 2020 22:23:18 +0100
Source: nvidia-cuda-toolkit
Architecture: source
Version: 11.1.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Closes: 973543
Changes:
 nvidia-cuda-toolkit (11.1.1-1) experimental; urgency=medium
 .
   * New upstream release 11.1 Update 1 (Oct 2020).
     * Fixes CVE-2020-5991.  (Closes: #973543)
       https://nvidia.custhelp.com/app/answers/detail/a_id/5094
   * Refresh cuda-gdb 11.0.221 patch.
   * Add gcc-10 (default) and clang-10 as supported compiler alternatives.
   * Driver 450.80.02 is sufficient.
   * Conflict with Ubuntu .deb packages from NVIDIA that cause file conflicts.
     (LP: #1901239)
   * Update Lintian overrides.
Checksums-Sha1:
 53206a6a732fb6acaee609f884bd7390bd4a61a2 8593 nvidia-cuda-toolkit_11.1.1-1.dsc
 37bc275b9e90677842b063dce0c0997612d1dec4 2072773124 nvidia-cuda-toolkit_11.1.1.orig-amd64.tar.xz
 72effe5a885fed9ae687d66d3e954ff90725a883 1553411136 nvidia-cuda-toolkit_11.1.1.orig-arm64.tar.xz
 6d6297443641be20c955f4115b1060cc581bb9d1 27471664 nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-jre-amd64-8u252-b09-1-d9u1.tar.xz
 4f2f7309a8d1e4fa36041a6d52b23e2f1f20d3bb 26562820 nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-jre-ppc64el-8u252-b09-1-d9u1.tar.xz
 06f732cee1b4492cd3e93c5f81d990f2743d746f 71935984 nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-source-8u252-b09-1-d9u1.tar.xz
 3c64eb8c77b6af80234ba9d9a84b17f0e0885109 1781448612 nvidia-cuda-toolkit_11.1.1.orig-ppc64el.tar.xz
 90b2547b6b2267e7134a1fc44a685772d91bb337 192 nvidia-cuda-toolkit_11.1.1.orig.tar.xz
 871e693b1028194b387f791ebba9c9884a3538df 3642184 nvidia-cuda-toolkit_11.1.1-1.debian.tar.xz
 5aba6651f5a6d2db046506c8f2021e8121517885 5859 nvidia-cuda-toolkit_11.1.1-1_source.buildinfo
Checksums-Sha256:
 f8777ac2c414d04c174f597121110effe6a36bf9131da0900fd6f47e57ee4e47 8593 nvidia-cuda-toolkit_11.1.1-1.dsc
 bf947af85845cfe967593d03a61a8122ea6f3f853b189a3baca91256b8d4a1c8 2072773124 nvidia-cuda-toolkit_11.1.1.orig-amd64.tar.xz
 d46346280071a1d2d4059cc60bda5bec82a527861afb1e874a0f1262d8c01d55 1553411136 nvidia-cuda-toolkit_11.1.1.orig-arm64.tar.xz
 82cafc3f6ea4929afc9d44b86a6122ba087e3650a6d9d952ba682792215f2cfb 27471664 nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-jre-amd64-8u252-b09-1-d9u1.tar.xz
 3de4435048ccf9f4fffff1b6c5484bcc83a494928763df0ed9f6f621665fb154 26562820 nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-jre-ppc64el-8u252-b09-1-d9u1.tar.xz
 fbd5ba9df3fb9cb37e25d43308397f360ca44537f7317bb4231aa540d164a36e 71935984 nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-source-8u252-b09-1-d9u1.tar.xz
 03c08a594133f20da095f13d11c2b4fb4932d203460bf087495d09e38e937b49 1781448612 nvidia-cuda-toolkit_11.1.1.orig-ppc64el.tar.xz
 648af8dc1732c07c07d2600f80eae0e3a13f8044ebe8a99c1fc281aa7b001e11 192 nvidia-cuda-toolkit_11.1.1.orig.tar.xz
 7f08ac2694e6caad91da38a765c2d2c193a7e54630e5278229b031fb7f574ec0 3642184 nvidia-cuda-toolkit_11.1.1-1.debian.tar.xz
 067441875639ae0b3a8d1573cd64b22fda8b0d8adab77c8c27ba62f0dfd6ed68 5859 nvidia-cuda-toolkit_11.1.1-1_source.buildinfo
Files:
 788cf5e1f28679f73fdb3283d44ac687 8593 non-free/libs optional nvidia-cuda-toolkit_11.1.1-1.dsc
 5a0e13be742b6d6849f3df9e7a6f2821 2072773124 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig-amd64.tar.xz
 893912bc55c446d8968a7bb66061297a 1553411136 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig-arm64.tar.xz
 64f48a03f39174d5984b7eb242ed72b2 27471664 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-jre-amd64-8u252-b09-1-d9u1.tar.xz
 c9d1e055eff7fbe5ec26012982a297c9 26562820 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-jre-ppc64el-8u252-b09-1-d9u1.tar.xz
 c58672af0b0dea10c20554b28d4d204f 71935984 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig-openjdk-8-source-8u252-b09-1-d9u1.tar.xz
 deb5107c2815d8d01f522e9b634a9698 1781448612 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig-ppc64el.tar.xz
 26e6976a146d1e41621e532235e856f9 192 non-free/libs optional nvidia-cuda-toolkit_11.1.1.orig.tar.xz
 796392f170b5c369d9ce306ce65db35b 3642184 non-free/libs optional nvidia-cuda-toolkit_11.1.1-1.debian.tar.xz
 dfb5f351d29f6d75833d8d2754c3a28c 5859 non-free/libs optional nvidia-cuda-toolkit_11.1.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAl+tsrcQHGFuYmVAZGVi
aWFuLm9yZwAKCRBfsz+TWentCFPbD/0TwzotgKkhrOi3gHvl9Ylre1xYyIEiWgNo
WY9inN/B3mqiuxdxxnIHHeGniupoG0B3Oz7jSpIIeHQhPYg990yaKgVwBp3WIPtQ
kYiGZaDPl0HYGV4nY3kEbUpolKSmG9ldkpVcnP3tELA3VvmTZ+ywmCJF5ltmjr8k
9AvtHnG+4CAAt6HHDAhrEO2+GxXo2Fn/mu3hsw+XlA0OJyQnf3RTGQldg2bfcJgE
JxFcVvNePaHIfXND1AgQa5WTSForcf8NFs4k0Q8LCMrsiOsuy5IDJikz/075UfQE
Xt/eRw74MxZ4Ewz3c8vVm+XTDg06cM+g5WzxzoxPWJnDTrDwRjp2KGRnhHsyAmp7
BBRyYjj87cKb62INbK8BkvEcINI77kjUvPgbLPNJzonwrQnqGfrfqkErUraxtsqq
+2s0fpRAH3XEWKpiNDDhx2SeuiGvgFx23eX5OBzIYZ1VuZFrKcQvgf39c4Lhlz6P
d3z3aXRJBFoEl6IRAlPNr0Al3PpFGz57kWvkf9+Ly55qhv9NDzUwRCwMBWyct4j/
LyB4bfpthpodVwMCJSQbl3F8OO8P2+yz/Zt3oH4becq+sm15/D9tOKSM86goMkbu
i9H0ogHH7X9scM9p5RUPgfLnbfazvFDyfunGRBxICMz5s9zab8b0y0EeWZ93nWBI
sh6Ha1LHUg==
=DUTV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Nov 16 11:32:48 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started