[Mageia-dev] NVIDIA CVE, mga1: update driver, or patch and break CUDA debugger?

Pascal Terjan pterjan at gmail.com
Wed Apr 11 16:47:27 CEST 2012

On Wed, Apr 11, 2012 at 15:27, Anssi Hannula <anssi at mageia.org> wrote:
> Hi all!
> We'll have to apply a patch for CVE-2012-0946 (access to arbitrary
> system memory by any user) for cauldron and mga1.
> However, the security fix (patch to the nvidia kernel interface layer)
> will break CUDA debugger using libcuda older than 295.40.
> While I can upgrade cauldron driver (which contains libcuda) to 295.40,
> mga1 will be left with two options:
> a) Apply patch, informing users that CUDA debugger will cease to
>   function unless they upgrade their NVIDIA driver. However, as we have
>   no backports, the remaining (non-system-breaking) option to upgrade
>   their driver is to use http://onse.fi/nvidia-mgabuild/ , but I don't
>   think it is very nice to link to non-official page from an advisory,
>   right?
> b) Upgrade our MGA1 driver from 275.09.07 to 295.40 ("long-lived branch
>   release") as well. We have
>   previously shipped an update from 270.41.19 to 275.09.07 for MGA1
>   (that was due to an important stability bugfix). I'm not aware of
>   any blockers for this.

I would vote for b provided more research about known regressions from
275 to 295 (like dropping support for some devices)

More information about the Mageia-dev mailing list