Operating System:

[Debian]

Published:

12 May 2023

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2023.2712 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.2712
           nvidia-graphics-drivers-legacy-390xx security update
                                12 May 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           nvidia-graphics-drivers-legacy-390xx
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-42259 CVE-2022-42258 CVE-2022-42257
                   CVE-2022-34680 CVE-2022-34677 CVE-2022-34675
                   CVE-2022-34674 CVE-2022-34670 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/05/msg00010.html

Comment: CVSS (Max):  7.8 CVE-2022-34670 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3418-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
May 11, 2023                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nvidia-graphics-drivers-legacy-390xx
Version        : 390.157-1~deb10u1
CVE ID         : CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677
                 CVE-2022-34680 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259
Debian Bug     : 1025281

NVIDIA has released a software security update for the NVIDIA GPU Display
Driver R390 linux driver branch. This update addresses issues that may lead to
denial of service, escalation of privileges, information disclosure, data
tampering or undefined behavior.


CVE-2022-34670

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer handler, where an unprivileged regular user can
    cause truncation errors when casting a primitive to a primitive of
    smaller size causes data to be lost in the conversion, which may
    lead to denial of service or information disclosure.

CVE-2022-34674

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer handler, where a helper function maps more
    physical pages than were requested, which may lead to undefined
    behavior or an information leak.

CVE-2022-34675

    NVIDIA Display Driver for Linux contains a vulnerability in the
    Virtual GPU Manager, where it does not check the return value from a
    null-pointer dereference, which may lead to denial of service.

CVE-2022-34677

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer handler, where an unprivileged regular user can
    cause an integer to be truncated, which may lead to denial of
    service or data tampering.

CVE-2022-34680

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer handler, where an integer truncation can lead to
    an out-of-bounds read, which may lead to denial of service.

CVE-2022-42257

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer (nvidia.ko), where an integer overflow may lead to
    information disclosure, data tampering or denial of service.

CVE-2022-42258

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer (nvidia.ko), where an integer overflow may lead to
    denial of service, data tampering, or information disclosure.

CVE-2022-42259

    NVIDIA GPU Display Driver for Linux contains a vulnerability in the
    kernel mode layer (nvidia.ko), where an integer overflow may lead to
    denial of service.

For Debian 10 buster, these problems have been fixed in version
390.157-1~deb10u1.

We recommend that you upgrade your nvidia-graphics-drivers-legacy-390xx packages.

For the detailed security status of
nvidia-graphics-drivers-legacy-390xx please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/nvidia-graphics-drivers-legacy-390xx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZF2K6ckNZI30y1K9AQgtog/+IOC8HRSYcOICjb73iOsy8upCls2ZFjc9
RVuIInpfrDlLRbKUEvv+rBgQCAjOjKmjjEhets461100N3iRvwm+nGWeVFpiTcUB
d4KFTz+/ht2oxMcwfkaSvDUsipU15KQONCWvdAdOBuSi6DRe+XtXRi4fQEwh40j/
u4GzG0v043C5OzFONS0pXFmmAIxd4QmWtpbePNrgvCWQqAGibhkrtpLhHqLU2HmN
o8QrqrjbShTEwD6xkZmiy3fZDb/IhIlymEslhbzsuz4JsAHzSfpPptBe6drznuQo
MMzLDjD7KPZbv8W/M+bQByRhBmOhw3CLt+nxy7Kfbn+ApFcIr23TwXseZv/ni3ta
BzQ95gwI4OCj+VftSnR1oN4BCc35F9Oojkvu3s88PQQKx97SZX2AxeSvL8Ft9OG2
Ft/hKoDXDmYyOqOE4zRqxvcwUQbib5lbHBqA40g3FNrwSMC14f5bcHuycIwcYC98
3n4Fj6tl4HeFxLrF24fH6IXl2y21R3kl1CXZYTppVyzstRCPF3OIxd0S/pC0DCjM
j1N1jAJJVX8O90cSDYJhoPLwaG4WgdFIBix55/KEbvXXwNUhN3j4uRfIjCpuBh/P
pmtHWDHc+CSnuhRYDTSZsZvWigqBpaBx1aU6uZxN81SpEEDQgcI/deRzo6FWonca
7TIz//ek8uo=
=ZP9o
-----END PGP SIGNATURE-----