Bug 1173349 - (CVE-2020-5963) VUL-0: CVE-2020-5963, CVE-2020-5967,CVE-2020-5973: nvidia kmps: security issues
(CVE-2020-5963)
VUL-0: CVE-2020-5963, CVE-2020-5967,CVE-2020-5973: nvidia kmps: security issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Critical
: ---
Assigned To: Stefan Dirsch
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-25 09:45 UTC by Mathias Homann
Modified: 2020-06-30 09:18 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mathias Homann 2020-06-25 09:45:52 UTC
this just in:

https://www.heise.de/security/meldung/Mehrere-Sicherheitsluecken-in-Grafikkarten-Treiber-von-Nvidia-gestopft-4794975.html

https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin

Linux users are adwised to update to 450.51 as soon as possible.

Please provide updated RPM packages quickly.
Comment 1 Stefan Dirsch 2020-06-25 10:54:22 UTC
On my TODO list since weeks. Still planned for this week. BTW, 440.100 and 390.138 also include the Security fix. Let's keep the long-term and stable release.
Comment 2 Marcus Meissner 2020-06-25 11:06:55 UTC
CVE‑2020‑5963 NVIDIA CUDA Driver contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.

CVE‑2020‑5967 NVIDIA Linux GPU Display Driver contains a vulnerability in the UVM driver, in which a race condition may lead to a denial of service.
Comment 3 Marcus Meissner 2020-06-25 11:08:40 UTC
CVE‑2020‑5973  NVIDIA Virtual GPU Manager and the guest drivers contain a vulnerability in vGPU plugin, in which there is the potential to execute privileged operations, which may lead to denial of service.
Comment 4 Marcus Meissner 2020-06-25 11:09:19 UTC
Rest CVEs is windows only.
Comment 5 Markus Koßmann 2020-06-25 17:05:10 UTC
I'am surprised that the just released 440.100 driver fixes the problem only for NVS and Quadro cards ( according to nvidias security bulletin)  but not for Geforce cards, which need the still beta 450.51 driver. I've opened a topic in Nvidias developer forum about that to get that confirmed or hopefully the bullitin fixed.
Comment 6 Stefan Dirsch 2020-06-25 20:13:28 UTC
Hmm. According to the NVIDIA document released on June 3rd I have access to the drivers 390.138 (G04) and  440.100 (G05)  fixes the the security issues

CVE-2020-5963
CVE-2020-5967

for GeForce and Quadro, NVS cards.

> CVE-2020-5973  vGPU software (guest driver)
We don't provide this one for download.
Comment 7 Stefan Dirsch 2020-06-25 21:09:43 UTC
Updated packages are on-the-way.
Comment 8 Mathias Homann 2020-06-27 06:16:25 UTC
...and as usual, it takes openSUSE only a few hours to build the packages, but it'll take nvidia several working days to update the repository... why exactly isn't the driver just published via OBS where it's being built?
Comment 9 Stefan Dirsch 2020-06-27 15:18:58 UTC
In case this hasn't been a rhetorical question. Legal reasons? Do you want SUSE being out-of-business then in the worst case?
Comment 10 Mathias Homann 2020-06-27 15:21:52 UTC
oops, that serious? ouch. Let me guess, some contract between nvidia and suse that doesn't permit the drivers to be published on OBS?
Comment 11 Stefan Dirsch 2020-06-27 18:36:40 UTC
Not at all. SUSE is avoiding being sued due to violating the GPL by providing NVIDIA's drivers via our servers.
Comment 12 Mathias Homann 2020-06-27 19:07:43 UTC
that makes sense... but it does slow down the update process...

could there be an alternate package that downloads and installs the driver in %postinstall, similar to the nvidia packages for bumblebee? I'd think that would be ok with the GPL as well, wouldn't it?
Comment 13 Stefan Dirsch 2020-06-27 21:31:45 UTC
In theory, yes. Practical it makes things rather complicated and rather error-prone, .e.g. machines without direct access to internet (which got the nvidia package through other means) will fail. Downloads of the driver and/or patches may fail for others as well for other reasons. Let's see whether things improve, now that I know how to testbuild for current rc kernels.
Comment 14 Mathias Homann 2020-06-27 21:41:37 UTC
oh the speed that you're working at is not the problem... its just that every time the driver gets updated the nvidia repo is kind of broken-ish for several days during which signatures don't match up and all kind of other junk... as if they kinda have to do all the various steps that createrepo does, but manually, with vi, without having the man pages...
Comment 15 Stefan Dirsch 2020-06-27 21:51:31 UTC
Hmm. These issues should no longer happen. Unfortunately NVIIDA relies on a unbelievably broken CDN software, which assumes that a file isn't supposed to change its content, when it gets updated !?! And since the repo meta files keep the filename but change content things got broken in the past. Meanwhile they workaround this somehow.
Comment 16 Mathias Homann 2020-06-28 08:33:31 UTC
as far as I remember it still happened that way last time there was a driver update...
Comment 17 Stefan Dirsch 2020-06-28 10:32:06 UTC
Hmm. At least I didn't get any reports. So at least it has improved ...
Comment 18 Stefan Dirsch 2020-06-30 09:18:57 UTC
JFYI, all the repos have been updated with 390.138 (G04) and 440.100 (G05), which are supposed to fix the security issue. Here the list of repos:

14 | nvidia-leap-15.0        | nvidia-leap-15.0                  | Yes     | (r ) Yes  | No     
15 | nvidia-leap-15.1        | nvidia-leap-15.1                  | Yes     | (r ) Yes  | No     
16 | nvidia-leap-15.2        | nvidia-leap-15.2                  | Yes     | (r ) Yes  | No     

17 | nvidia-sle12-sp2        | nvidia-sle12-sp2                  | Yes     | (r ) Yes  | No     
18 | nvidia-sle12-sp3        | nvidia-sle12-sp3                  | Yes     | (r ) Yes  | No     
19 | nvidia-sle12-sp4        | nvidia-sle12-sp4                  | Yes     | (r ) Yes  | No     
20 | nvidia-sle12-sp5        | nvidia-sle12-sp5                  | Yes     | (r ) Yes  | No     

21 | nvidia-sle15               | nvidia-sle15                        | Yes     | (r ) Yes  | No     
22 | nvidia-sle15-sp1        | nvidia-sle15-sp1                  | Yes     | (r ) Yes  | No     
23 | nvidia-sle15-sp2        | nvidia-sle15-sp2                  | Yes     | (r ) Yes  | No     
24 | nvidia-tumbleweed   | nvidia-tumbleweed             | Yes     | (r ) Yes  | No