Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.2712 nvidia-graphics-drivers-legacy-390xx security update 12 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nvidia-graphics-drivers-legacy-390xx Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-42259 CVE-2022-42258 CVE-2022-42257 CVE-2022-34680 CVE-2022-34677 CVE-2022-34675 CVE-2022-34674 CVE-2022-34670 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/05/msg00010.html Comment: CVSS (Max): 7.8 CVE-2022-34670 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3418-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 11, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : nvidia-graphics-drivers-legacy-390xx Version : 390.157-1~deb10u1 CVE ID : CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677 CVE-2022-34680 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259 Debian Bug : 1025281 NVIDIA has released a software security update for the NVIDIA GPU Display Driver R390 linux driver branch. This update addresses issues that may lead to denial of service, escalation of privileges, information disclosure, data tampering or undefined behavior. CVE-2022-34670 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. CVE-2022-34674 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak. CVE-2022-34675 NVIDIA Display Driver for Linux contains a vulnerability in the Virtual GPU Manager, where it does not check the return value from a null-pointer dereference, which may lead to denial of service. CVE-2022-34677 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering. CVE-2022-34680 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. CVE-2022-42257 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service. CVE-2022-42258 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure. CVE-2022-42259 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service. For Debian 10 buster, these problems have been fixed in version 390.157-1~deb10u1. We recommend that you upgrade your nvidia-graphics-drivers-legacy-390xx packages. For the detailed security status of nvidia-graphics-drivers-legacy-390xx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nvidia-graphics-drivers-legacy-390xx Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZF2K6ckNZI30y1K9AQgtog/+IOC8HRSYcOICjb73iOsy8upCls2ZFjc9 RVuIInpfrDlLRbKUEvv+rBgQCAjOjKmjjEhets461100N3iRvwm+nGWeVFpiTcUB d4KFTz+/ht2oxMcwfkaSvDUsipU15KQONCWvdAdOBuSi6DRe+XtXRi4fQEwh40j/ u4GzG0v043C5OzFONS0pXFmmAIxd4QmWtpbePNrgvCWQqAGibhkrtpLhHqLU2HmN o8QrqrjbShTEwD6xkZmiy3fZDb/IhIlymEslhbzsuz4JsAHzSfpPptBe6drznuQo MMzLDjD7KPZbv8W/M+bQByRhBmOhw3CLt+nxy7Kfbn+ApFcIr23TwXseZv/ni3ta BzQ95gwI4OCj+VftSnR1oN4BCc35F9Oojkvu3s88PQQKx97SZX2AxeSvL8Ft9OG2 Ft/hKoDXDmYyOqOE4zRqxvcwUQbib5lbHBqA40g3FNrwSMC14f5bcHuycIwcYC98 3n4Fj6tl4HeFxLrF24fH6IXl2y21R3kl1CXZYTppVyzstRCPF3OIxd0S/pC0DCjM j1N1jAJJVX8O90cSDYJhoPLwaG4WgdFIBix55/KEbvXXwNUhN3j4uRfIjCpuBh/P pmtHWDHc+CSnuhRYDTSZsZvWigqBpaBx1aU6uZxN81SpEEDQgcI/deRzo6FWonca 7TIz//ek8uo= =ZP9o -----END PGP SIGNATURE-----