Ubuntu
nvidia-graphics-drivers-384 package

NVIDIA CVE-2018-6249 CVE-2018-6253

Bug #1771814 reported by Alberto Milone
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers-384 (Ubuntu)
Won't Fix
High
Alberto Milone
Trusty
Fix Released
High
Alberto Milone
Xenial
Fix Released
High
Alberto Milone
Artful
Fix Released
High
Alberto Milone

Bug Description

The 384.130 NVIDIA driver has security fixes for NVIDIA CVE-2018-6249 CVE-2018-6253.

Here is the PPA with the relevant nvidia packages for 14.04, 16.04, and 17.10:
https://launchpad.net/~albertomilone/+archive/ubuntu/nvidia-security-1

See original description

CVE References

Alberto Milone (albertomilone)
description: updated
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
status: New → In Progress
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
status: New → In Progress
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
status: New → In Progress
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
importance: Undecided → High
Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
assignee: nobody → Alberto Milone (albertomilone)
Changed in nvidia-graphics-drivers-384 (Ubuntu):
status: In Progress → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.130-0ubuntu0.16.04.1

---------------
nvidia-graphics-drivers-384 (384.130-0ubuntu0.16.04.1) xenial; urgency=medium

  * SECURITY UPDATE:
    - CVE-2018-6249, 2018-6253 (LP: #1771814).
  * New upstream release:
   - Improved compatibility with recent Linux kernels.
   - Fixed a string concatenation bug that caused libGL to accidentally try
     to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases
     where /tmp isn't accessible.
   - Increased the version numbers of the GLVND libGL, libGLESv1_CM,
     libGLESv2, and libEGL libraries, to prevent concurrently installed
     non-GLVND libraries from taking precedence in the dynamic linker cache.
   - Fixed a bug which could cause X servers that export a Video Driver ABI
     earlier than 0.8 to crash when running X11 applications which call
     XRenderAddTraps().

 -- Alberto Milone <email address hidden> Thu, 17 May 2018 15:33:30 +0200

Changed in nvidia-graphics-drivers-384 (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.130-0ubuntu0.14.04.1

---------------
nvidia-graphics-drivers-384 (384.130-0ubuntu0.14.04.1) trusty; urgency=medium

  * SECURITY UPDATE:
    - CVE-2018-6249, 2018-6253 (LP: #1771814).
  * New upstream release:
   - Improved compatibility with recent Linux kernels.
   - Fixed a string concatenation bug that caused libGL to accidentally try
     to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases
     where /tmp isn't accessible.
   - Increased the version numbers of the GLVND libGL, libGLESv1_CM,
     libGLESv2, and libEGL libraries, to prevent concurrently installed
     non-GLVND libraries from taking precedence in the dynamic linker cache.
   - Fixed a bug which could cause X servers that export a Video Driver ABI
     earlier than 0.8 to crash when running X11 applications which call
     XRenderAddTraps().

 -- Alberto Milone <email address hidden> Thu, 17 May 2018 15:09:12 +0200

Changed in nvidia-graphics-drivers-384 (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-384 - 384.130-0ubuntu0.17.10.1

---------------
nvidia-graphics-drivers-384 (384.130-0ubuntu0.17.10.1) artful; urgency=medium

  * SECURITY UPDATE:
    - CVE-2018-6249, 2018-6253 (LP: #1771814).
  * New upstream release:
   - Improved compatibility with recent Linux kernels.
   - Fixed a string concatenation bug that caused libGL to accidentally try
     to create the directory "$HOME.nv" rather than "$HOME/.nv" in some cases
     where /tmp isn't accessible.
   - Increased the version numbers of the GLVND libGL, libGLESv1_CM,
     libGLESv2, and libEGL libraries, to prevent concurrently installed
     non-GLVND libraries from taking precedence in the dynamic linker cache.
   - Fixed a bug which could cause X servers that export a Video Driver ABI
     earlier than 0.8 to crash when running X11 applications which call
     XRenderAddTraps().

 -- Alberto Milone <email address hidden> Thu, 17 May 2018 15:36:52 +0200

Changed in nvidia-graphics-drivers-384 (Ubuntu Artful):
status: In Progress → Fix Released
Revision history for this message
Anders Kaseorg (andersk) wrote :

Shouldn’t this be uploaded to bionic too? The version in bionic is now older than in xenial and artful (bug 1780681), and presumably vulnerable.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Bionic has nvidia-graphics-drivers-390 which provides transitional packages for the nvidia-graphics-drivers-384 binary packages.

In other words, the nvidia-graphics-drivers-384 package in bionic isn't used.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.