src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098)

Debian Bug report logs - #772972
src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098)

Date: Fri, 12 Dec 2014 17:27:56 +0100

Source: nvidia-graphics-drivers
Severity: critical
Tags: security

This is the NVIDIA-specific part of 
DSA-3095-1 xorg-server -- security update

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8298

The NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before
R331.113, R340.x before R340.65, R343.x before R343.36, and R346.x
before R346.22, Lixux for Tegra (L4T) driver before R21.2, and Chrome OS
driver before R40 allows remote attackers to cause a denial of service
(segmentation fault and X server crash) or possibly execute arbitrary
code via a crafted GLX indirect rendering protocol request. 

http://lists.x.org/archives/xorg-announce/2014-December/002500.html
http://nvidia.custhelp.com/app/answers/detail/a_id/3610

Release series			fixed in version
--------------			----------------
Releases prior to 304		Has reached 'end of life' and no longer supported.
304.*				304.125 available as of 12/9
319.*				no longer supported
331.*				331.113 available as of 12/9
340.*				340.65 available as of 12/9
343.*				343.36 available as of 12/9
346.*				346.22 Beta available as of 12/9

All NVIDIA drivers (in non-free) are affected:

not fixable (no new upstream release will be provided):
 nvidia-graphics-drivers-legacy-96xx  | 96.43.18-2          | squeeze/non-free           | source
 nvidia-graphics-drivers-legacy-96xx  | 96.43.23-3          | wheezy/non-free            | source
 nvidia-graphics-drivers-legacy-96xx  | 96.43.23-7~bpo70+1  | wheezy-backports/non-free  | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.27-2         | squeeze/non-free           | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.35-1~bpo60+2 | squeeze-backports/non-free | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.35-4         | wheezy/non-free            | source
 nvidia-graphics-drivers-legacy-173xx | 173.14.39-2~bpo70+1 | wheezy-backports/non-free  | source
 nvidia-graphics-drivers              | 195.36.31-6squeeze2 | squeeze/non-free           | source
 nvidia-graphics-drivers              | 295.59-1~bpo60+2    | squeeze-backports/non-free | source

uploads planned (new upstream release required):
 nvidia-graphics-drivers              | 304.117-1           | wheezy/non-free            | source
 nvidia-graphics-drivers-legacy-304xx | 304.123-4~bpo70+1   | wheezy-backports/non-free  | source
 nvidia-graphics-drivers-legacy-304xx | 304.123-4           | jessie/non-free            | source
 nvidia-graphics-drivers-legacy-304xx | 304.123-4           | sid/non-free               | source
 nvidia-graphics-drivers              | 319.82-1~bpo70+2    | wheezy-backports/non-free  | source
 nvidia-graphics-drivers              | 340.46-6            | jessie/non-free            | source
 nvidia-graphics-drivers              | 340.58-1            | sid/non-free               | source
 nvidia-graphics-drivers              | 343.22-2            | experimental/non-free      | source

I expect wheezy (only nvidia-graphics-drivers can be fixed there)
shall be fixed via wheezy-proposed-updates, no DSA, as in the previous ones?


Andreas

Message #16 received at 772972-done@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>

To: 772973-done@bugs.debian.org, 772972-done@bugs.debian.org

Subject: wheezy-lts is EoL

Date: Tue, 5 Jun 2018 02:58:02 +0200

wheezy(-lts) is now EoL and this legacy driver is not present in any
newer releases.


Andreas

Send a report that this bug log contains spam.