Ubuntu
nvidia-graphics-drivers-340 package

CVE-2016-7382, 2016-7389

Bug #1627055 reported by Alberto Milone
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers-304 (Ubuntu)
Fix Released
High
Alberto Milone
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
nvidia-graphics-drivers-340 (Ubuntu)
Fix Released
High
Alberto Milone
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
nvidia-graphics-drivers-367 (Ubuntu)
Fix Released
High
Alberto Milone
Precise
Invalid
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

The NVIDIA drivers are affected by a couple of vulnerabilities (CVE-2016-7382, 2016-7389), which NVIDIA are going to disclose on 10/19.

All the NVIDIA drivers in all the supported Ubuntu releases (12.04, 14.04, 16.04) are affected.

I am going to take care of the packaging and of the migrations to the new driver packages.

CVE References

Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-304 (Ubuntu):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-367 (Ubuntu):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-304 (Ubuntu):
importance: Undecided → High
Changed in nvidia-graphics-drivers-367 (Ubuntu):
importance: Undecided → High
Changed in nvidia-graphics-drivers-304 (Ubuntu):
status: New → Triaged
Changed in nvidia-graphics-drivers-340 (Ubuntu):
status: New → Triaged
Changed in nvidia-graphics-drivers-367 (Ubuntu):
status: New → Triaged
Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-304 (Ubuntu Precise):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-304 - 304.132-0ubuntu0.16.04.2

---------------
nvidia-graphics-drivers-304 (304.132-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * New upstream release:
    - Added /var/log/dmesg to the list of paths which are searched by
      nvidia-bug-report.sh for kernel messages.
    - Fixed a bug that caused kernel panics when using the NVIDIA
      driver on v4.5 and newer Linux kernels built with
      CONFIG_DEBUG_VM_PGFLAGS.
  * debian/templates/control.in:
    - Add transitional packages to deprecate the -updates flavour.
  * debian/dkms/patches/buildfix_kernel_4.3.patch:
    - Refresh the patch.
  * debian/templates/nvidia-graphics-drivers.postinst.in:
    - Do not fail if update-initramfs is not available (LP: #1629274).

 -- Alberto Milone <email address hidden> Thu, 13 Oct 2016 17:23:23 +0200

Changed in nvidia-graphics-drivers-304 (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-340 - 340.98-0ubuntu0.16.04.1

---------------
nvidia-graphics-drivers-340 (340.98-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * New upstream release:
    - Added support for the screen_info.ext_lfb_base field, on
      kernels that have it, in order to properly handle UEFI
      framebuffer consoles with physical addresses above 4GB.
  * debian/rules, debian/templates/control.in,
    debian/templates/nvidia-graphics-drivers.dirs.in,
    debian/templates/nvidia-graphics-drivers.install.in,
    debian/templates/nvidia-graphics-drivers.postinst.in,
    debian/templates/var-lib-snapd-lib-gl.mount.in:
    - Revert bind mount unit for snappy, as it causes a regression.
  * debian/templates/nvidia-graphics-drivers.postinst.in:
    - Do not fail if update-initramfs is not available (LP: #1629274).

 -- Alberto Milone <email address hidden> Thu, 13 Oct 2016 15:26:39 +0200

Changed in nvidia-graphics-drivers-340 (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-367 - 367.57-0ubuntu0.14.04.1

---------------
nvidia-graphics-drivers-367 (367.57-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * Initial release. It replaces the deprecated 352 series.

 -- Alberto Milone <email address hidden> Fri, 14 Oct 2016 11:21:13 +0200

Changed in nvidia-graphics-drivers-367 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-367 - 367.57-0ubuntu0.16.04.1

---------------
nvidia-graphics-drivers-367 (367.57-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * New upstream release:
    - Fixed a bug that could prevent systems with GPUs configured in
      SLI from resuming correctly from ACPI S3/S4 sleep/hibernate
      states.
    - Added support for NVIDIA 3D Vision 2 Stereo on Linux. This IR
      emitter can be used with stereo mode "10" set in the X
      configuration file.
    - Fixed a bug in nvidia-persistenced that caused it to
      incorrectly delete the PID file if a second instance of the
      daemon is started.
  * debian/templates/nvidia-graphics-drivers.postinst.in:
    - Do not fail if update-initramfs is not available (LP: #1629274).
  * debian/templates/libcuda1-361.prerm.in,
    debian/templates/nvidia-libopencl1-361.prerm.in:
    - Add empty prerm scripts for 361 (LP: #1621780).
  * debian/templates/control.in:
    - Restore support for libcuda-8.0-1 (lost in the transition from
      361). Thanks to Graham Inggs.

 -- Alberto Milone <email address hidden> Thu, 13 Oct 2016 12:05:12 +0200

Changed in nvidia-graphics-drivers-367 (Ubuntu Xenial):
status: New → Fix Released
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-304 - 304.132-0ubuntu0.12.04.1

---------------
nvidia-graphics-drivers-304 (304.132-0ubuntu0.12.04.1) precise-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * debian/templates/control.in:
    - Add transitional packages to deprecate the -updates flavour.
  * New upstream release:
    - Added /var/log/dmesg to the list of paths which are searched by
      nvidia-bug-report.sh for kernel messages.
    - Fixed a bug that caused kernel panics when using the NVIDIA
      driver on v4.5 and newer Linux kernels built with
      CONFIG_DEBUG_VM_PGFLAGS.

 -- Alberto Milone <email address hidden> Mon, 17 Oct 2016 09:21:32 +0200

Changed in nvidia-graphics-drivers-304 (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-304 - 304.132-0ubuntu0.14.04.2

---------------
nvidia-graphics-drivers-304 (304.132-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * New upstream release:
    - Added /var/log/dmesg to the list of paths which are searched by
      nvidia-bug-report.sh for kernel messages.
    - Fixed a bug that caused kernel panics when using the NVIDIA
      driver on v4.5 and newer Linux kernels built with
      CONFIG_DEBUG_VM_PGFLAGS.
  * debian/dkms/patches/buildfix_kernel_4.3.patch:
    - Refresh the patch.
  * debian/templates/control.in:
    - Add transitional packages to deprecate the -updates flavour.

 -- Alberto Milone <email address hidden> Fri, 14 Oct 2016 17:22:43 +0200

Changed in nvidia-graphics-drivers-304 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-340 - 340.98-0ubuntu0.12.04.1

---------------
nvidia-graphics-drivers-340 (340.98-0ubuntu0.12.04.1) precise-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * New upstream release:
    - Added /var/log/dmesg to the list of paths which are searched by
      nvidia-bug-report.sh for kernel messages.
    - Fixed a bug that caused kernel panics when using the NVIDIA
      driver on v4.5 and newer Linux kernels built with
      CONFIG_DEBUG_VM_PGFLAGS.
  * debian/templates/control.in:
    - Add transitional packages to deprecate the -updates flavour.

 -- Alberto Milone <email address hidden> Mon, 17 Oct 2016 09:45:54 +0200

Changed in nvidia-graphics-drivers-340 (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-340 - 340.98-0ubuntu0.14.04.1

---------------
nvidia-graphics-drivers-340 (340.98-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE:
    - CVE-2016-7382, 2016-7389 (LP: #1627055).
  * New upstream release:
    - Added support for the screen_info.ext_lfb_base field, on
      kernels that have it, in order to properly handle UEFI
      framebuffer consoles with physical addresses above 4GB.
  * debian/templates/control.in:
    - Add transitional packages to deprecate the -updates flavour.

 -- Alberto Milone <email address hidden> Fri, 14 Oct 2016 16:42:04 +0200

Changed in nvidia-graphics-drivers-340 (Ubuntu Trusty):
status: New → Fix Released
Marc Deslauriers (mdeslaur)
Changed in nvidia-graphics-drivers-304 (Ubuntu):
status: Triaged → Fix Released
Changed in nvidia-graphics-drivers-340 (Ubuntu):
status: Triaged → Fix Released
Changed in nvidia-graphics-drivers-367 (Ubuntu):
status: Triaged → Fix Released
Changed in nvidia-graphics-drivers-367 (Ubuntu Precise):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.