Bugzilla – Bug 1173349
VUL-0: CVE-2020-5963, CVE-2020-5967,CVE-2020-5973: nvidia kmps: security issues
Last modified: 2020-06-30 09:18:57 UTC
this just in:
Linux users are adwised to update to 450.51 as soon as possible.
Please provide updated RPM packages quickly.
On my TODO list since weeks. Still planned for this week. BTW, 440.100 and 390.138 also include the Security fix. Let's keep the long-term and stable release.
CVE‑2020‑5963 NVIDIA CUDA Driver contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.
CVE‑2020‑5967 NVIDIA Linux GPU Display Driver contains a vulnerability in the UVM driver, in which a race condition may lead to a denial of service.
CVE‑2020‑5973 NVIDIA Virtual GPU Manager and the guest drivers contain a vulnerability in vGPU plugin, in which there is the potential to execute privileged operations, which may lead to denial of service.
Rest CVEs is windows only.
I'am surprised that the just released 440.100 driver fixes the problem only for NVS and Quadro cards ( according to nvidias security bulletin) but not for Geforce cards, which need the still beta 450.51 driver. I've opened a topic in Nvidias developer forum about that to get that confirmed or hopefully the bullitin fixed.
Hmm. According to the NVIDIA document released on June 3rd I have access to the drivers 390.138 (G04) and 440.100 (G05) fixes the the security issues
for GeForce and Quadro, NVS cards.
> CVE-2020-5973 vGPU software (guest driver)
We don't provide this one for download.
Updated packages are on-the-way.
...and as usual, it takes openSUSE only a few hours to build the packages, but it'll take nvidia several working days to update the repository... why exactly isn't the driver just published via OBS where it's being built?
In case this hasn't been a rhetorical question. Legal reasons? Do you want SUSE being out-of-business then in the worst case?
oops, that serious? ouch. Let me guess, some contract between nvidia and suse that doesn't permit the drivers to be published on OBS?
Not at all. SUSE is avoiding being sued due to violating the GPL by providing NVIDIA's drivers via our servers.
that makes sense... but it does slow down the update process...
could there be an alternate package that downloads and installs the driver in %postinstall, similar to the nvidia packages for bumblebee? I'd think that would be ok with the GPL as well, wouldn't it?
In theory, yes. Practical it makes things rather complicated and rather error-prone, .e.g. machines without direct access to internet (which got the nvidia package through other means) will fail. Downloads of the driver and/or patches may fail for others as well for other reasons. Let's see whether things improve, now that I know how to testbuild for current rc kernels.
oh the speed that you're working at is not the problem... its just that every time the driver gets updated the nvidia repo is kind of broken-ish for several days during which signatures don't match up and all kind of other junk... as if they kinda have to do all the various steps that createrepo does, but manually, with vi, without having the man pages...
Hmm. These issues should no longer happen. Unfortunately NVIIDA relies on a unbelievably broken CDN software, which assumes that a file isn't supposed to change its content, when it gets updated !?! And since the repo meta files keep the filename but change content things got broken in the past. Meanwhile they workaround this somehow.
as far as I remember it still happened that way last time there was a driver update...
Hmm. At least I didn't get any reports. So at least it has improved ...
JFYI, all the repos have been updated with 390.138 (G04) and 440.100 (G05), which are supposed to fix the security issue. Here the list of repos:
14 | nvidia-leap-15.0 | nvidia-leap-15.0 | Yes | (r ) Yes | No
15 | nvidia-leap-15.1 | nvidia-leap-15.1 | Yes | (r ) Yes | No
16 | nvidia-leap-15.2 | nvidia-leap-15.2 | Yes | (r ) Yes | No
17 | nvidia-sle12-sp2 | nvidia-sle12-sp2 | Yes | (r ) Yes | No
18 | nvidia-sle12-sp3 | nvidia-sle12-sp3 | Yes | (r ) Yes | No
19 | nvidia-sle12-sp4 | nvidia-sle12-sp4 | Yes | (r ) Yes | No
20 | nvidia-sle12-sp5 | nvidia-sle12-sp5 | Yes | (r ) Yes | No
21 | nvidia-sle15 | nvidia-sle15 | Yes | (r ) Yes | No
22 | nvidia-sle15-sp1 | nvidia-sle15-sp1 | Yes | (r ) Yes | No
23 | nvidia-sle15-sp2 | nvidia-sle15-sp2 | Yes | (r ) Yes | No
24 | nvidia-tumbleweed | nvidia-tumbleweed | Yes | (r ) Yes | No