NVIDIA CVE-2018-6249 CVE-2018-6253

Bug #1771814 reported by Alberto Milone on 2018-05-17
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers-384 (Ubuntu)
High
Alberto Milone
Trusty
High
Alberto Milone
Xenial
High
Alberto Milone
Artful
High
Alberto Milone

Bug Description

The 384.130 NVIDIA driver has security fixes for NVIDIA CVE-2018-6249 CVE-2018-6253.

Here is the PPA with the relevant nvidia packages for 14.04, 16.04, and 17.10:
https://launchpad.net/~albertomilone/+archive/ubuntu/nvidia-security-1

CVE References

description: updated
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
status: New → In Progress
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
status: New → In Progress
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
status: New → In Progress
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-384 (Ubuntu):
status: In Progress → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.130-0ubuntu0.16.04.1

---------------
nvidia-graphics-drivers-384 (384.130-0ubuntu0.16.04.1) xenial; urgency=medium

  * SECURITY UPDATE:
    - CVE-2018-6249, 2018-6253 (LP: #1771814).
  * New upstream release:
   - Improved compatibility with recent Linux kernels.
   - Fixed a string concatenation bug that caused libGL to accidentally try
     to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases
     where /tmp isn't accessible.
   - Increased the version numbers of the GLVND libGL, libGLESv1_CM,
     libGLESv2, and libEGL libraries, to prevent concurrently installed
     non-GLVND libraries from taking precedence in the dynamic linker cache.
   - Fixed a bug which could cause X servers that export a Video Driver ABI
     earlier than 0.8 to crash when running X11 applications which call
     XRenderAddTraps().

 -- Alberto Milone <email address hidden> Thu, 17 May 2018 15:33:30 +0200

Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.130-0ubuntu0.14.04.1

---------------
nvidia-graphics-drivers-384 (384.130-0ubuntu0.14.04.1) trusty; urgency=medium

  * SECURITY UPDATE:
    - CVE-2018-6249, 2018-6253 (LP: #1771814).
  * New upstream release:
   - Improved compatibility with recent Linux kernels.
   - Fixed a string concatenation bug that caused libGL to accidentally try
     to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases
     where /tmp isn't accessible.
   - Increased the version numbers of the GLVND libGL, libGLESv1_CM,
     libGLESv2, and libEGL libraries, to prevent concurrently installed
     non-GLVND libraries from taking precedence in the dynamic linker cache.
   - Fixed a bug which could cause X servers that export a Video Driver ABI
     earlier than 0.8 to crash when running X11 applications which call
     XRenderAddTraps().

 -- Alberto Milone <email address hidden> Thu, 17 May 2018 15:09:12 +0200

Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.130-0ubuntu0.17.10.1

---------------
nvidia-graphics-drivers-384 (384.130-0ubuntu0.17.10.1) artful; urgency=medium

  * SECURITY UPDATE:
    - CVE-2018-6249, 2018-6253 (LP: #1771814).
  * New upstream release:
   - Improved compatibility with recent Linux kernels.
   - Fixed a string concatenation bug that caused libGL to accidentally try
     to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases
     where /tmp isn't accessible.
   - Increased the version numbers of the GLVND libGL, libGLESv1_CM,
     libGLESv2, and libEGL libraries, to prevent concurrently installed
     non-GLVND libraries from taking precedence in the dynamic linker cache.
   - Fixed a bug which could cause X servers that export a Video Driver ABI
     earlier than 0.8 to crash when running X11 applications which call
     XRenderAddTraps().

 -- Alberto Milone <email address hidden> Thu, 17 May 2018 15:36:52 +0200

Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
status: In Progress → Fix Released
Anders Kaseorg (andersk) wrote :

Shouldn’t this be uploaded to bionic too? The version in bionic is now older than in xenial and artful (bug 1780681), and presumably vulnerable.

Marc Deslauriers (mdeslaur) wrote :

Bionic has nvidia-graphics-drivers-390 which provides transitional packages for the nvidia-graphics-drivers-384 binary packages.

In other words, the nvidia-graphics-drivers-384 package in bionic isn't used.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers