Bug 1173558 - (CVE-2020-5968) VUL-0: CVE-2020-5968,CVE-2020-5972,CVE-2020-5971,CVE-2020-5970,CVE-2020-5969: nvidia: vGPU issues
(CVE-2020-5968)
VUL-0: CVE-2020-5968,CVE-2020-5972,CVE-2020-5971,CVE-2020-5970,CVE-2020-5969:...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/262648/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-01 08:01 UTC by Wolfgang Frisch
Modified: 2020-07-01 12:18 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-07-01 08:01:52 UTC
CVE-2020-5968

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
the software does not restrict or incorrectly restricts operations within the
boundaries of a resource that is accessed by using an index or pointer, such as
memory or files, which may lead to code execution, denial of service, escalation
of privileges, or information disclosure. This affects vGPU version 8.x (prior
to 8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).

CVE-2020-5969

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
it validates a shared resource before using it, creating a race condition which
may lead to denial of service or information disclosure. This affects vGPU
version 8.x (prior to 8.4), version 9.x (prior to 9.4) and version 10.x (prior
to 10.3).

CVE-2020-5970

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
an input data size is not validated, which may lead to tampering or denial of
service. This affects vGPU version 8.x (prior to 8.4), version 9.x (prior to
9.4) and version 10.x (prior to 10.3).

CVE-2020-5971

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
the software reads from a buffer by using buffer access mechanisms such as
indexes or pointers that reference memory locations after the targeted buffer,
which may lead to code execution, denial of service, escalation of privileges,
or information disclosure. This affects vGPU version 8.x (prior to 8.4), version
9.x (prior to 9.4) and version 10.x (prior to 10.3).

CVE-2020-5972

NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which
local pointer variables are not initialized and may be freed later, which may
lead to tampering or denial of service. This affects vGPU version 8.x (prior to
8.4), version 9.x (prior to 9.4) and version 10.x (prior to 10.3).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5968
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5972
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5971
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5970
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5972
https://nvidia.custhelp.com/app/answers/detail/a_id/5031
Comment 1 Stefan Dirsch 2020-07-01 12:10:17 UTC
We don't package the NVIDIA Virtual GPU Manager, let alone provide it to our customers through any repository located on our or NVIDIA's place. I consider this bug INVALID.
Comment 2 Wolfgang Frisch 2020-07-01 12:18:14 UTC
Invalid.