[Mageia-dev] NVIDIA CVE, mga1: update driver, or patch and break CUDA debugger?
Anssi Hannula
anssi at mageia.org
Wed Apr 11 16:27:41 CEST 2012
Hi all!
We'll have to apply a patch for CVE-2012-0946 (access to arbitrary
system memory by any user) for cauldron and mga1.
However, the security fix (patch to the nvidia kernel interface layer)
will break CUDA debugger using libcuda older than 295.40.
While I can upgrade cauldron driver (which contains libcuda) to 295.40,
mga1 will be left with two options:
a) Apply patch, informing users that CUDA debugger will cease to
function unless they upgrade their NVIDIA driver. However, as we have
no backports, the remaining (non-system-breaking) option to upgrade
their driver is to use http://onse.fi/nvidia-mgabuild/ , but I don't
think it is very nice to link to non-official page from an advisory,
right?
b) Upgrade our MGA1 driver from 275.09.07 to 295.40 ("long-lived branch
release") as well. We have
previously shipped an update from 270.41.19 to 275.09.07 for MGA1
(that was due to an important stability bugfix). I'm not aware of
any blockers for this.
I'd probably prefer (a), but since we don't have any official way for
users to update their driver, that makes me lean to (b) instead.
WDYT?
A relatively quick decision needs to be made...
--
Anssi Hannula
More information about the Mageia-dev
mailing list