UPDATE: Remote Root In Nvidia xserver Driver
Regarding my post here on 18.Oct.2006:
http://lists.debian.org/debian-security/2006/10/msg00046.html
Nvidia has published a bulletin on this security hole :
http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/std_adp.php?p_faqid=1971
(dated 20th.Oct - sorry, only just found it)
Here are some salient points :
* NVIDIA confirms that there is a security vulnerability in the NVIDIA
UNIX Graphics drivers, versions 1.0-8762 and 1.0-8774, as reported in
Security Advisory R7-0025, "Buffer Overflow in NVIDIA Binary Graphics Driver
For Linux" (http://download2.rapid7.com/r7-0025/).
* This bug was in the NVIDIA X driver's Render acceleration layer. The
bug can be avoided in affected drivers by disabling Render acceleration via
the "RenderAccel" X configuration option.
* NVIDIA can confirm that this bug is only present in the NVIDIA UNIX
Graphics drivers 1.0-8762 and 1.0-8774, and is fixed starting with
1.0-8776. Also, this bug is not present in driver versions older than
1.0-8762
* We encourage users of NVIDIA graphics driver version 1.0-8762 or
1.0-8774 to upgrade to 1.0-8776, available here:
http://www.nvidia.com/object/unix.html
So while Etch and Sid users may want to observe that last advice (I don't know
what the current state of packaging is for this driver there), those of us
using Sarge can just go back to using the packaged Nvidia graphics driver -
1.0-7174 - because it doesn't contain the security hole. Great !
/me thanks lucky stars this bit of Debian stable is so far behind the bleeding
edge :-)
Nick Boyce
Bristol, UK
--
Will no one rid me of this troublesome chair ?
Reply to: