[Mageia-dev] NVIDIA CVE, mga1: update driver, or patch and break CUDA debugger?

Wed Apr 11 16:27:41 CEST 2012

Hi all!
+
+We'll have to apply a patch for CVE-2012-0946 (access to arbitrary
+system memory by any user) for cauldron and mga1.
+
+However, the security fix (patch to the nvidia kernel interface layer)
+will break CUDA debugger using libcuda older than 295.40.
+
+While I can upgrade cauldron driver (which contains libcuda) to 295.40,
+mga1 will be left with two options:
+a) Apply patch, informing users that CUDA debugger will cease to
+   function unless they upgrade their NVIDIA driver. However, as we have
+   no backports, the remaining (non-system-breaking) option to upgrade
+   their driver is to use http://onse.fi/nvidia-mgabuild/ , but I don't
+   think it is very nice to link to non-official page from an advisory,
+   right?
+
+b) Upgrade our MGA1 driver from 275.09.07 to 295.40 ("long-lived branch
+   release") as well. We have
+   previously shipped an update from 270.41.19 to 275.09.07 for MGA1
+   (that was due to an important stability bugfix). I'm not aware of
+   any blockers for this.
+
+
+I'd probably prefer (a), but since we don't have any official way for
+users to update their driver, that makes me lean to (b) instead.
+
+WDYT?
+
+A relatively quick decision needs to be made...
+
+-- 
+Anssi Hannula
+