Debian Bug report logs -
#772972
src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098)
Reported by: Andreas Beckmann <anbe@debian.org>
Date: Fri, 12 Dec 2014 16:30:01 UTC
Severity: critical
Tags: security, wontfix
Done: Andreas Beckmann <anbe@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
:
Bug#772971
; Package src:nvidia-graphics-drivers
.
(Fri, 12 Dec 2014 16:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Beckmann <anbe@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
.
(Fri, 12 Dec 2014 16:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nvidia-graphics-drivers
Severity: critical
Tags: security
This is the NVIDIA-specific part of
DSA-3095-1 xorg-server -- security update
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8298
The NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before
R331.113, R340.x before R340.65, R343.x before R343.36, and R346.x
before R346.22, Lixux for Tegra (L4T) driver before R21.2, and Chrome OS
driver before R40 allows remote attackers to cause a denial of service
(segmentation fault and X server crash) or possibly execute arbitrary
code via a crafted GLX indirect rendering protocol request.
http://lists.x.org/archives/xorg-announce/2014-December/002500.html
http://nvidia.custhelp.com/app/answers/detail/a_id/3610
Release series fixed in version
-------------- ----------------
Releases prior to 304 Has reached 'end of life' and no longer supported.
304.* 304.125 available as of 12/9
319.* no longer supported
331.* 331.113 available as of 12/9
340.* 340.65 available as of 12/9
343.* 343.36 available as of 12/9
346.* 346.22 Beta available as of 12/9
All NVIDIA drivers (in non-free) are affected:
not fixable (no new upstream release will be provided):
nvidia-graphics-drivers-legacy-96xx | 96.43.18-2 | squeeze/non-free | source
nvidia-graphics-drivers-legacy-96xx | 96.43.23-3 | wheezy/non-free | source
nvidia-graphics-drivers-legacy-96xx | 96.43.23-7~bpo70+1 | wheezy-backports/non-free | source
nvidia-graphics-drivers-legacy-173xx | 173.14.27-2 | squeeze/non-free | source
nvidia-graphics-drivers-legacy-173xx | 173.14.35-1~bpo60+2 | squeeze-backports/non-free | source
nvidia-graphics-drivers-legacy-173xx | 173.14.35-4 | wheezy/non-free | source
nvidia-graphics-drivers-legacy-173xx | 173.14.39-2~bpo70+1 | wheezy-backports/non-free | source
nvidia-graphics-drivers | 195.36.31-6squeeze2 | squeeze/non-free | source
nvidia-graphics-drivers | 295.59-1~bpo60+2 | squeeze-backports/non-free | source
uploads planned (new upstream release required):
nvidia-graphics-drivers | 304.117-1 | wheezy/non-free | source
nvidia-graphics-drivers-legacy-304xx | 304.123-4~bpo70+1 | wheezy-backports/non-free | source
nvidia-graphics-drivers-legacy-304xx | 304.123-4 | jessie/non-free | source
nvidia-graphics-drivers-legacy-304xx | 304.123-4 | sid/non-free | source
nvidia-graphics-drivers | 319.82-1~bpo70+2 | wheezy-backports/non-free | source
nvidia-graphics-drivers | 340.46-6 | jessie/non-free | source
nvidia-graphics-drivers | 340.58-1 | sid/non-free | source
nvidia-graphics-drivers | 343.22-2 | experimental/non-free | source
I expect wheezy (only nvidia-graphics-drivers can be fixed there)
shall be fixed via wheezy-proposed-updates, no DSA, as in the previous ones?
Andreas
Added tag(s) wontfix.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Sun, 11 Jan 2015 01:06:15 GMT) (full text, mbox, link).
Reply sent
to Andreas Beckmann <anbe@debian.org>
:
You have taken responsibility.
(Tue, 05 Jun 2018 01:00:06 GMT) (full text, mbox, link).
Notification sent
to Andreas Beckmann <anbe@debian.org>
:
Bug acknowledged by developer.
(Tue, 05 Jun 2018 01:00:06 GMT) (full text, mbox, link).
Message #16 received at 772972-done@bugs.debian.org (full text, mbox, reply):
wheezy(-lts) is now EoL and this legacy driver is not present in any
newer releases.
Andreas
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 03 Jul 2018 07:32:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:07:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.