Bug 1220552 (CVE-2024-0074)

Summary: VUL-0: CVE-2024-0074,CVE-2024-0075,CVE-2022-42265: kernel-firmware-nvidia-gspx-G06,nvidia-open-driver-G06-signed: Security issues in nvidia's graphics driver
Product: [Novell Products] SUSE Security Incidents Reporter: Stefan Dirsch <sndirsch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, sndirsch, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2024-0074:7.1:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) CVSSv3.1:SUSE:CVE-2024-0075:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: NVIDIA® Predisclosure Security Bulletin - February 2024_v3.pdf

Description Stefan Dirsch 2024-02-28 11:57:17 UTC 
nvidia recently made updates of their graphics drivers due to various security issues. I'm attaching a document.

I already updated the driver packages on the nvidia server for openSUSE. I can also update the repositories for SLE on the nvidia server once we release the updated packages

  kernel-firmware-nvidia-gspx-G06
  nvidia-open-driver-G06-signed

for sle15-sp5 and sle15-sp4(LTSS).
Comment 1 Stefan Dirsch 2024-02-28 11:58:16 UTC 
Created attachment 873079 [details]
NVIDIA® Predisclosure Security Bulletin - February 2024_v3.pdf
Comment 2 Stefan Dirsch 2024-02-28 12:01:56 UTC 
> [...] I can also update the repositories for SLE on the nvidia server once we release the updated packages
>
>  kernel-firmware-nvidia-gspx-G06
>  nvidia-open-driver-G06-signed
>
> for sle15-sp5 and sle15-sp4(LTSS).

@Marcus Could you give them again higher priority? Thanks.

In case you're wondering, that R545 Driver Branch, which we were using up to now, isn't mentioned in the document. That's the pre-release branch of R550. I'm pretty sure it's affected as well.
Comment 3 Marcus Meissner 2024-02-28 14:31:12 UTC 
CRD: 2024-02-28
Comment 4 Stefan Dirsch 2024-02-28 21:18:40 UTC 
It's released now.

https://nvidia.custhelp.com/app/answers/detail/a_id/5520
Comment 5 Stefan Dirsch 2024-03-01 02:03:32 UTC 
Packages have been checked in for sle15-sp4/sle15-sp5.
Comment 6 Maintenance Automation 2024-03-05 20:30:07 UTC 
SUSE-SU-2024:0772-1: An update that solves three vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1220552
CVE References: CVE-2022-42265, CVE-2024-0074, CVE-2024-0075
Jira References: PED-7117
Sources used:
openSUSE Leap 15.5 (src): nvidia-open-driver-G06-signed-550.54.14-150500.3.36.1
SUSE Linux Enterprise Micro 5.5 (src): nvidia-open-driver-G06-signed-550.54.14-150500.3.36.1
Basesystem Module 15-SP5 (src): nvidia-open-driver-G06-signed-550.54.14-150500.3.36.1
Public Cloud Module 15-SP5 (src): nvidia-open-driver-G06-signed-550.54.14-150500.3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2024-03-05 20:30:17 UTC 
SUSE-SU-2024:0770-1: An update that solves three vulnerabilities and contains one feature can now be installed.

Category: security (important)
Bug References: 1220552
CVE References: CVE-2022-42265, CVE-2024-0074, CVE-2024-0075
Jira References: PED-7117
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise Micro 5.4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Manager Proxy 4.3 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Manager Retail Branch Server 4.3 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Manager Server 4.3 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
openSUSE Leap 15.4 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1
SUSE Linux Enterprise Micro 5.3 (src): nvidia-open-driver-G06-signed-550.54.14-150400.9.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Stefan Dirsch 2024-03-06 02:10:54 UTC 
Hooray. I verified that nvidia-open-driver-G06-kmp-<flavor> and kernel-firmware-nvidia-gspx-G06 package updates are available for SP4 and SP5. From my point of view this ticket can be closed. Thanks again for prioritizing this!
Comment 10 Stefan Dirsch 2024-03-25 08:10:41 UTC 
This is checked in into SUSE:ALP:Source:Standard:1.0 since a long time. There is no 'ALP:Source:Standard:1.0'.
Comment 11 Marcus Meissner 2024-03-26 09:47:23 UTC 
released