NVIDIA Spectre attack fixes

Bug #1741807 reported by Leith Bade on 2018-01-08
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers-384 (Ubuntu)
High
Alberto Milone
Trusty
High
Unassigned
Xenial
High
Unassigned
Zesty
High
Unassigned
Artful
High
Unassigned

Bug Description

According to http://nvidia.custhelp.com/app/answers/detail/a_id/4611 the NVIDIA driver needs to be updated to 384.111 to fix the Spectre vulnerabilities in the NVIDIA kernel modules (along with the upcoming Kernel security patches).

I think this update should be pushed ASAP to all support Ubuntu releases as a security update.

It seems so far only CVE-2017-5753 (variant 1) has been addressed and a future NVIDIA update will also address CVE-2017-5715 (variant 2)

Please note there is also a updated version 390.12 for the R390 branch in case that is also provided somewhere.

CVE References

Leith Bade (ljbade) on 2018-01-08
information type: Private Security → Public Security
Changed in nvidia-graphics-drivers-384 (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Alberto Milone (albertomilone)
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.111-0ubuntu0.17.04.1

---------------
nvidia-graphics-drivers-384 (384.111-0ubuntu0.17.04.1) zesty; urgency=medium

  * SECURITY UPDATE:
    - CVE-2017-5753 (LP: #1741807).
  * New upstream release:
    - Added support for the following GPUs:
      o GeForce MX130
      o GeForce MX110
      o GeForce GTX 1050 Ti with Max-Q Design
      o Quadro P500
    - Fixed a regression that prevented displays connected via some
      types of passive adapters (e.g. DMS-59 to VGA or DVI) from
      working correctly. The regression was introduced with driver
      version 384.98.
    - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest
      available PowerMizer performance level when under load.
  * debian/templates/control.in:
    - Add Replaces/Conflicts/Provide for libcuda-9.0-1.
      Thanks to Graham Inggs for his contribution.
  * debian/templates/dkms_nvidia.conf.in:
    - Drop buildfix_kernel_4.14.patch.

 -- Alberto Milone <email address hidden> Mon, 08 Jan 2018 15:44:40 +0100

Changed in nvidia-graphics-drivers-384 (Ubuntu Zesty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.111-0ubuntu0.14.04.1

---------------
nvidia-graphics-drivers-384 (384.111-0ubuntu0.14.04.1) trusty; urgency=medium

  * SECURITY UPDATE:
    - CVE-2017-5753 (LP: #1741807).
  * New upstream release:
    - Added support for the following GPUs:
      o GeForce MX130
      o GeForce MX110
      o GeForce GTX 1050 Ti with Max-Q Design
      o Quadro P500
    - Fixed a regression that prevented displays connected via some
      types of passive adapters (e.g. DMS-59 to VGA or DVI) from
      working correctly. The regression was introduced with driver
      version 384.98.
    - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest
      available PowerMizer performance level when under load.
  * debian/templates/control.in:
    - Add Replaces/Conflicts/Provide for libcuda-9.0-1.
      Thanks to Graham Inggs for his contribution.
  * debian/templates/dkms_nvidia.conf.in:
    - Drop buildfix_kernel_4.14.patch.

 -- Alberto Milone <email address hidden> Mon, 08 Jan 2018 16:11:38 +0100

Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.111-0ubuntu0.16.04.1

---------------
nvidia-graphics-drivers-384 (384.111-0ubuntu0.16.04.1) xenial; urgency=medium

  * SECURITY UPDATE:
    - CVE-2017-5753 (LP: #1741807).
  * New upstream release:
    - Added support for the following GPUs:
      o GeForce MX130
      o GeForce MX110
      o GeForce GTX 1050 Ti with Max-Q Design
      o Quadro P500
    - Fixed a regression that prevented displays connected via some
      types of passive adapters (e.g. DMS-59 to VGA or DVI) from
      working correctly. The regression was introduced with driver
      version 384.98.
    - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest
      available PowerMizer performance level when under load.
  * debian/templates/control.in:
    - Add Replaces/Conflicts/Provide for libcuda-9.0-1.
      Thanks to Graham Inggs for his contribution.
  * debian/templates/dkms_nvidia.conf.in:
    - Drop buildfix_kernel_4.14.patch.

 -- Alberto Milone <email address hidden> Mon, 08 Jan 2018 15:42:11 +0100

Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.111-0ubuntu0.17.10.1

---------------
nvidia-graphics-drivers-384 (384.111-0ubuntu0.17.10.1) artful; urgency=medium

  * SECURITY UPDATE:
    - CVE-2017-5753 (LP: #1741807).
  * New upstream release:
    - Added support for the following GPUs:
      o GeForce MX130
      o GeForce MX110
      o GeForce GTX 1050 Ti with Max-Q Design
      o Quadro P500
    - Fixed a regression that prevented displays connected via some
      types of passive adapters (e.g. DMS-59 to VGA or DVI) from
      working correctly. The regression was introduced with driver
      version 384.98.
    - Fixed a bug that caused Quadro M2200 GPUs to enter the lowest
      available PowerMizer performance level when under load.
  * debian/templates/control.in:
    - Add Replaces/Conflicts/Provide for libcuda-9.0-1.
      Thanks to Graham Inggs for his contribution.
  * debian/templates/dkms_nvidia.conf.in:
    - Drop buildfix_kernel_4.14.patch.

 -- Alberto Milone <email address hidden> Mon, 08 Jan 2018 15:46:54 +0100

Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
status: New → Fix Released
Leith Bade (ljbade) on 2018-01-09
description: updated
Saxon Druce (saxondruce) wrote :

Hi,

EGL seems to be broken in this update - the same bug as reported here for 384.90-0ubuntu0.16.04.2:

https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-384/+bug/1731968

It was possible to work around the bug in 384.90-0ubuntu0.16.04.2 by downgrading to 384.90-0ubuntu0.16.04.1, as described here:

https://stackoverflow.com/questions/47415198/missing-gl-version-from-glewinit-using-egl/47527089#47527089

However with the release of this 384.111 update, 384.90 has been superseded, and so it is no longer possible to use apt to downgrade to 384.90-0ubuntu0.16.04.1 (although it can be done by manually downloading and installing the old driver).

Saxon

Leith Bade (ljbade) wrote :

Hi Saxon,

Do you know if this has been reported to NVIDIA?

Leith

Saxon Druce (saxondruce) wrote :

Hi Leith,

I've submitted the message below to NVIDIA via the feedback form at http://www.nvidia.com/object/driverqualityassurance.html

Saxon

~~~~~~~~~~~~~~~~~~~~

Hi NVIDIA,

Since 384.90-0ubuntu0.16.04.2 was released, EGL crashes on set up (eg when performing OpenGL operations like getting the OpenGL version), see here:

https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-384/+bug/1731968

The same problem occurs on the recent 384.111 update, released to fix Spectre. See comment #5 here:

https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-384/+bug/1741807

Some more details also described here:

https://stackoverflow.com/questions/47415198/missing-gl-version-from-glewinit-using-egl/47527089#47527089

I have also tried the beta of 390.12 from here:

https://launchpad.net/~graphics-drivers/+archive/ubuntu/ppa/+packages

By doing the following:

sudo apt-get purge nvidia*
sudo add-apt-repository ppa:graphics-drivers/ppa
sudo apt-get update
sudo apt-get install nvidia-390

But this also doesn't work.

Thanks,
Saxon

Changed in nvidia:
assignee: nobody → jerahmia gaither (bearahmia)
status: New → Confirmed
Changed in nvidia-graphics-drivers-384 (Ubuntu):
status: Fix Committed → Fix Released
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Zesty):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
importance: Undecided → High
Changed in nvidia:
assignee: jerahmia gaither (bearahmia) → nobody
affects: nvidia → ubuntu-translations
no longer affects: ubuntu-translations
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers