Bug#913467: nvidia-graphics-drivers: CVE‑2018‑6260: access to application data processed on the GPU through a side channel exposed by the GPU performance counters

Moritz Muehlenhoff jmm at inutil.org
Tue Feb 19 16:42:32 GMT 2019 

On Mon, Feb 18, 2019 at 11:15:56PM +0000, Luca Boccassi wrote:
> On Mon, 2019-02-18 at 22:57 +0100, Moritz Mühlenhoff wrote:
> > On Mon, Nov 12, 2018 at 02:36:23PM +0000, Luca Boccassi wrote:
> > > On Mon, 2018-11-12 at 13:47 +0100, Andreas Beckmann wrote:
> > > > On 2018-11-11 13:54, Luca Boccassi wrote:
> > > > > https://nvidia.custhelp.com/app/answers/detail/a_id/4738
> > > > 
> > > > So we expect new releases soon. There is already 415.* ...
> > > > 
> > > > Please refrain from any uploads for now while I'm preparing
> > > > infrastructure changes. I'll do a 390.87-3 upload soon,
> > > > thereafter
> > > > you
> > > > could update that in sid. If there are some pkern commits in the
> > > > repository, use them, if not, they will come with -2.
> > > > 
> > > > (Procedure in 390:
> > > > do all commits incl. finalization of changelog in 390
> > > > merge into master
> > > > upload from master
> > > > )
> > > > 
> > > > Andreas
> > > 
> > > Ok, I see -3 is now in unstable (thanks!) so if something comes out
> > > for
> > > the 390 branch I'll follow that procedure and upload to unstable
> > > from
> > > master.
> > > 
> > > What about -legacy-390xx?
> > > 
> > > > PS: finally a reason to push 390 to stretch, lets do it soon at
> > > > the
> > > > beginning of the new point release cycle
> > > 
> > > Yes, sounds good, 384 is not maintained anymore.
> > 
> > I'm confused by all the branches in buster. Can you please confirm
> > which are fixed for CVE-2018-6260 and which are not? (And if so,
> > which
> > version in sid fixed it):
> > 
> > nvidia-graphics-drivers: 390.87-8 (sid: 410.93-2)
> > nvidia-graphics-drivers-legacy-390xx: 390.87-6 (sid the same)
> > nvidia-graphics-drivers-legacy-340xx: 340.107-3 (sid the same)
> > nvidia-graphics-drivers-legacy-304xx: not in testing
> 
> Unfortunately we have no idea - NVIDIA's security tracker was never
> updated after the initial mention of the CVE:
> 
> https://nvidia.custhelp.com/app/answers/detail/a_id/4738

Ack, we can revisit once more information is available.

Cheers,
        Moritz

More information about the pkg-nvidia-devel mailing list