[Mageia-dev] NVIDIA CVE, mga1: update driver, or patch and break CUDA debugger?
pterjan at gmail.com
Wed Apr 11 16:47:27 CEST 2012
On Wed, Apr 11, 2012 at 15:27, Anssi Hannula <anssi at mageia.org> wrote:
> Hi all!
> We'll have to apply a patch for CVE-2012-0946 (access to arbitrary
> system memory by any user) for cauldron and mga1.
> However, the security fix (patch to the nvidia kernel interface layer)
> will break CUDA debugger using libcuda older than 295.40.
> While I can upgrade cauldron driver (which contains libcuda) to 295.40,
> mga1 will be left with two options:
> a) Apply patch, informing users that CUDA debugger will cease to
> function unless they upgrade their NVIDIA driver. However, as we have
> no backports, the remaining (non-system-breaking) option to upgrade
> their driver is to use http://onse.fi/nvidia-mgabuild/ , but I don't
> think it is very nice to link to non-official page from an advisory,
> b) Upgrade our MGA1 driver from 275.09.07 to 295.40 ("long-lived branch
> release") as well. We have
> previously shipped an update from 270.41.19 to 275.09.07 for MGA1
> (that was due to an important stability bugfix). I'm not aware of
> any blockers for this.
I would vote for b provided more research about known regressions from
275 to 295 (like dropping support for some devices)
More information about the Mageia-dev