NVIDIA driver CVE-2015-5950

Bug #1489391 reported by Alberto Milone
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nvidia-graphics-drivers-304 (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
nvidia-graphics-drivers-340 (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
nvidia-graphics-drivers-346 (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
nvidia-graphics-drivers-352 (Ubuntu)
Fix Released
Undecided
Alberto Milone
Trusty
Invalid
Undecided
Marc Deslauriers
Vivid
Invalid
Undecided
Unassigned

Bug Description

This report is about a vulnerability in the NVIDIA drivers (304, 340, 346, 352) i.e. CVE-2015-5950. NVIDIA are going to make a public announcement on 9/25.

As discussed with Marc Deslauriers, I'm going to make the updated drivers available here in advance.

description: updated
description: updated
Changed in nvidia-graphics-drivers-352 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nvidia-graphics-drivers-352 (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → Alberto Milone (albertomilone)
status: Confirmed → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Any progress on getting packages Alberto?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-304 - 304.128-0ubuntu0.0.1

---------------
nvidia-graphics-drivers-304 (304.128-0ubuntu0.0.1) trusty-security; urgency=medium

  [ Alberto Milone ]
  * debian/templates/dkms.conf.in:
    - Drop patches for Linux 3.19 and 4.0.
  * New upstream release:
    - Removed libvdpau and libvdpau_trace from the NVIDIA driver
      package. VDPAU is not supported on the legacy hardware
      supported on the release 304 legacy driver branch. The
      libvdpau_nvidia vendor library is still included, so users who
      wish to use VDPAU with newer hardware that still works with
      release 304 drivers may install libvdpau from packages provided
      by the OS vendor where available, or from the source code
      available at:
      http://people.freedesktop.org/~aplattner/vdpau/
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Wed, 16 Sep 2015 16:55:41 +0200

Changed in nvidia-graphics-drivers-304 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-340 - 340.93-0ubuntu0.0.0.1

---------------
nvidia-graphics-drivers-340 (340.93-0ubuntu0.0.0.1) precise-security; urgency=medium

  * Initial release (replaces nvidia-graphics-drivers-331).
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Thu, 27 Aug 2015 16:35:39 +0200

Changed in nvidia-graphics-drivers-340 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-340 - 340.93-0ubuntu0.0.1

---------------
nvidia-graphics-drivers-340 (340.93-0ubuntu0.0.1) trusty-security; urgency=medium

  [ Alberto Milone ]
  * New upstream release:
    - Fixed a bug that caused the X server to crash if an OpenGL
      application tried to allocate a drawable when GPU-accessible
      memory is exhausted.
    - Fixed a bug that could cause an Xid error when terminating a
      video playback application using the overlay presentation queue
      in VDPAU.
    - Fixed a rare deadlock condition when running applications that
      use OpenGL in multiple threads on a Quadro GPU.
    - Fixed a kernel memory leak that occurred when looping hardware-
      accelerated video decoding with VDPAU on Maxwell-based GPUs.
    - Fixed a bug that caused the X server to crash if a RandR 1.4
      output provided by a SinkOutput provider was selected as the
      primary output on X.Org xserver 1.17 and higher.
    - Fixed a bug that caused waiting on X Sync Fence objects in
      OpenGL to hang indefinitely in some cases.
    - Fixed a bug that prevented OpenGL from properly recovering from
      hardware errors or sync object waits that had timed out.
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Thu, 27 Aug 2015 15:45:03 +0200

Changed in nvidia-graphics-drivers-340 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-346 - 346.96-0ubuntu0.0.1

---------------
nvidia-graphics-drivers-346 (346.96-0ubuntu0.0.1) trusty-security; urgency=medium

  [ Alberto Milone ]
  * New upstream release:
   - Added support for the following GPU:
     o Tesla K80
   - Fixed a bug that caused the X server to crash if an
     OpenGL application tried to allocate a drawable when
     GPU-accessible memory is exhausted.
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Thu, 27 Aug 2015 15:04:46 +0200

Changed in nvidia-graphics-drivers-346 (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-304 - 304.128-0ubuntu0.0.0.1

---------------
nvidia-graphics-drivers-304 (304.128-0ubuntu0.0.0.1) precise-security; urgency=medium

  [ Alberto Milone ]
  * New upstream release:
    - Removed libvdpau and libvdpau_trace from the NVIDIA driver
      package. VDPAU is not supported on the legacy hardware
      supported on the release 304 legacy driver branch. The
      libvdpau_nvidia vendor library is still included, so users who
      wish to use VDPAU with newer hardware that still works with
      release 304 drivers may install libvdpau from packages provided
      by the OS vendor where available, or from the source code
      available at:
      http://people.freedesktop.org/~aplattner/vdpau/
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Wed, 16 Sep 2015 16:43:44 +0200

Changed in nvidia-graphics-drivers-304 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-304 - 304.128-0ubuntu0.1

---------------
nvidia-graphics-drivers-304 (304.128-0ubuntu0.1) vivid-security; urgency=medium

  [ Alberto Milone ]
  * debian/templates/dkms.conf.in:
    - Drop patch for Linux 3.19.
  * New upstream release:
    - Removed libvdpau and libvdpau_trace from the NVIDIA driver
      package. VDPAU is not supported on the legacy hardware
      supported on the release 304 legacy driver branch. The
      libvdpau_nvidia vendor library is still included, so users who
      wish to use VDPAU with newer hardware that still works with
      release 304 drivers may install libvdpau from packages provided
      by the OS vendor where available, or from the source code
      available at:
      http://people.freedesktop.org/~aplattner/vdpau/
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Wed, 16 Sep 2015 17:02:40 +0200

Changed in nvidia-graphics-drivers-304 (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-340 - 340.93-0ubuntu0.1

---------------
nvidia-graphics-drivers-340 (340.93-0ubuntu0.1) vivid-security; urgency=medium

  [ Alberto Milone ]
  * New upstream release:
    - Fixed a bug that caused the X server to crash if an OpenGL
      application tried to allocate a drawable when GPU-accessible
      memory is exhausted.
    - Fixed a bug that could cause an Xid error when terminating a
      video playback application using the overlay presentation queue
      in VDPAU.
    - Fixed a rare deadlock condition when running applications that
      use OpenGL in multiple threads on a Quadro GPU.
    - Fixed a kernel memory leak that occurred when looping hardware-
      accelerated video decoding with VDPAU on Maxwell-based GPUs.
    - Fixed a bug that caused the X server to crash if a RandR 1.4
      output provided by a SinkOutput provider was selected as the
      primary output on X.Org xserver 1.17 and higher.
    - Fixed a bug that caused waiting on X Sync Fence objects in
      OpenGL to hang indefinitely in some cases.
    - Fixed a bug that prevented OpenGL from properly recovering from
      hardware errors or sync object waits that had timed out.
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Thu, 27 Aug 2015 14:58:17 +0200

Changed in nvidia-graphics-drivers-340 (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvidia-graphics-drivers-346 - 346.96-0ubuntu0.1

---------------
nvidia-graphics-drivers-346 (346.96-0ubuntu0.1) vivid-security; urgency=medium

  [ Alberto Milone ]
  * New upstream release:
   - Added support for the following GPU:
     o Tesla K80
   - Fixed a bug that caused the X server to crash if an
     OpenGL application tried to allocate a drawable when
     GPU-accessible memory is exhausted.
  * SECURITY UPDATE:
    - CVE-2015-5950 (LP: #1489391).

 -- Alberto Milone <email address hidden> Thu, 27 Aug 2015 14:46:29 +0200

Changed in nvidia-graphics-drivers-346 (Ubuntu Vivid):
status: New → Fix Released
information type: Private Security → Public Security
Changed in nvidia-graphics-drivers-352 (Ubuntu Trusty):
status: New → Invalid
Changed in nvidia-graphics-drivers-352 (Ubuntu Vivid):
status: New → Invalid
Changed in nvidia-graphics-drivers-352 (Ubuntu):
status: In Progress → Fix Released
Changed in nvidia-graphics-drivers-346 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.