Linked by Thom Holwerda on Mon 16th Oct 2006 22:26 UTC, submitted by Johan M;son Lindman
Privacy, Security, Encryption A recent security advisory announced today by Rapid7 explains, "the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is attached to this advisory." The advisory goes on to note that the FreeBSD and Solaris binary drivers are also likely vulnerable and cautions, "it is our opinion that NVIDIA's binary driver remains an unacceptable security risk based on the large numbers of reproducible, unfixed crashes that have been reported in public forums and bug databases."
Order by: Score:
Well, just goes to show you ...
by WorknMan on Mon 16th Oct 2006 22:40 UTC
WorknMan
Member since:
2005-11-13

Just because your email programs won't execute attachments by default doesn't mean your OS isn't vunerable in one way or the other ;) If somebody really wants in, they'll find a way.

Reply Score: 2

DittoBox Member since:
2005-07-08

Your argument only makes sense if we're talking about using 3rd party applications and drivers, which most people don't include when they talk about OS security. It's Apples and Oranges...

Reply Score: 4

First one...
by binarycrusader on Mon 16th Oct 2006 22:48 UTC
binarycrusader
Member since:
2005-07-06

This is what, the first such bug found (ever?), and years since the driver was released?

Besides, nVidia has already released a fix for it:

"NVIDIA released the 1.0-9625 driver which fixes this bug last month:
http://www.nzone.com/object/nzone_downloads_rel70betadriver.html"
- http://kerneltrap.org/node/7228

In the end, whether it is "acceptable" or not, nVidia is the only option for Accelerated High Performance Consumer 3D Graphics under operating systems such as Solaris. Quite frankly, they could name an exploit every day and I still wouldn't care. I have no choice in hardware...

Edited 2006-10-16 22:51

Reply Score: 4

RE: First one...
by Ford Prefect on Mon 16th Oct 2006 22:56 UTC in reply to "First one..."
Ford Prefect Member since:
2006-01-16

I don't want to criticise your opinion, but think it's fascinating (and surely you are not the only one).

The whole system in regards to security is as weak as it's weakest part is. Yet, as soon as not using weak parts rises to a certain level of uncomfortable (in this situation, alternative hardware), they will be accepted, even if they drive the whole system unsecure.

Edited 2006-10-16 22:57

Reply Score: 5

RE[2]: First one...
by binarycrusader on Mon 16th Oct 2006 23:06 UTC in reply to "RE: First one..."
binarycrusader Member since:
2005-07-06

I don't want to criticise your opinion, but think it's fascinating (and surely you are not the only one).

It's not an opinion. I don't have a choice about the hardware I use if I want a consumer level 3D Card with accelerated 3D graphics for Solaris.

So, quite frankly, I don't really care. I just want the tools to do my job or to do whatever I need to.

The moment a viable alternative comes available, I'd be all for it. But so far, none have materialised.

Reply Score: 5

RE[3]: First one...
by dsmogor on Tue 17th Oct 2006 00:02 UTC in reply to "RE[2]: First one..."
dsmogor Member since:
2005-09-01

Actually the choice between bad and bad it not a choice at all.
Seemengly windows drivers use the same codebase are they affected? Did NV release update for them as well?

Reply Score: 1

RE[2]: First one...
by Alleister on Tue 17th Oct 2006 04:43 UTC in reply to "RE: First one..."
Alleister Member since:
2006-05-29

I don't think it is a question of how uncomfortable it is. There simply is no alternative to fall back to even on Linux.
Intel Graphics are very slow and Ati drivers... well... you sure don't want to leave nVidia for Ati if it comes to drivers.

So if there is an true alternative then i'm not aware of it.

Reply Score: 1

RE[2]: First one...
by poohgee on Tue 17th Oct 2006 15:39 UTC in reply to "RE: First one..."
poohgee Member since:
2005-08-13

Hmm .. the whole system is not as weak as its weakest part if the weak part is isolated .

Reply Score: 1

RE[3]: First one...
by Ford Prefect on Tue 17th Oct 2006 19:13 UTC in reply to "RE[2]: First one..."
Ford Prefect Member since:
2006-01-16

So how to isolate this driver?

Reply Score: 1

RE: First one...
by miscz on Mon 16th Oct 2006 23:03 UTC in reply to "First one..."
miscz Member since:
2005-07-17

Beta drivers are not the answer. It's like saying that your WinXP security problems can be fixed by installing Vista Beta ;)

Reply Score: 5

RE[2]: First one...
by binarycrusader on Mon 16th Oct 2006 23:05 UTC in reply to "RE: First one..."
binarycrusader Member since:
2005-07-06

Beta drivers are not the answer. It's like saying that your WinXP security problems can be fixed by installing Vista Beta ;)

Why not? Works for everyone else in the industry...

(Creative, Microsoft, etc.)

Reply Score: 4

v RE: First one...
by Moulinneuf on Tue 17th Oct 2006 00:32 UTC in reply to "First one..."
RE[2]: First one...
by lfeagan on Tue 17th Oct 2006 00:42 UTC in reply to "RE: First one..."
lfeagan Member since:
2006-04-01

On the subject of the XIG drivers. As an owner and a long-time user of one of their packages, I feel I can comment that they are excellent drivers. The only thing that is a shame is that more recent and powerful hardware cards are not supported.

Through the efforts of the manufacturers, they have laregely been pushed out of the fully hardware accelerated chips and mostly focus on Intel integrated graphics solutions these days.

I own one of their Platinum packages for my old HP notebook and have been quite pleased. The performance is excellent (given the underlying chipset) and they are extremely reliable. However, if you demand incredible performance on a modern 3D design package, you will be out of luck with XIG as they simply no longer support recent 3D Labs, nVidia, or ATI hardware. It is really a shame.

I believe in their products and appreciate all the work it takes to develop their products.

Reply Score: 1

RE[3]: First one...
by binarycrusader on Tue 17th Oct 2006 02:47 UTC in reply to "RE: First one..."
binarycrusader Member since:
2005-07-06

The only thing that is a shame is that more recent and powerful hardware cards are not supported.

Which is my primary problem and why I qualified my statement with "High Performance". XiG is not an option.

Reply Score: 1

RE[2]: First one...
by binarycrusader on Tue 17th Oct 2006 02:49 UTC in reply to "RE: First one..."
binarycrusader Member since:
2005-07-06


http://www.xig.com/Pages/Summit/OSsupport.html#Solaris32anchor


nVidia is still the only option. XiG's support is only good for the older generation of video cards. I don't see SLI or anything like that on there either (maybe I'm missing it). Not only that, between choosing to pay for a driver and one for free, the choice is obvious in this case...

Besides, this whole conversation was about binary drivers, how is choosing *another* binary driver any better?

Reply Score: 2

RE[3]: First one...
by Moulinneuf on Tue 17th Oct 2006 03:32 UTC in reply to "RE[2]: First one..."
Moulinneuf Member since:
2005-07-06

"nVidia is still the only option."

Your not interested to pay for other options ...

"between choosing to pay for a driver and one for free"

The cost of a working secure and up to date driver is included in the sale price of the graphic card.

"how is choosing *another* binary driver any better?"

I was answering your no other option comment.

Reply Score: 1

RE[4]: First one...
by binarycrusader on Tue 17th Oct 2006 13:44 UTC in reply to "RE[3]: First one..."
binarycrusader Member since:
2005-07-06

The cost of a working secure and up to date driver is included in the sale price of the graphic card.

Exactly, so why would I pay for a driver *again*?

I was answering your no other option comment.

My no other option comment taken in context was that there was no *non-binary-only* option.

Reply Score: 1

Well
by tsuraan on Mon 16th Oct 2006 23:03 UTC
tsuraan
Member since:
2006-01-16

That should shut up the people who call anti-blob folks "idealists." Closed code can't be easily audited, and thus can't be trusted.

Reply Score: 5

RE: Well
by esper on Mon 16th Oct 2006 23:41 UTC in reply to "Well"
esper Member since:
2005-07-08

As much as I like free drivers, open source code can have root exploits too....

Reply Score: 5

RE[2]: Well
by renox on Tue 17th Oct 2006 07:12 UTC in reply to "RE: Well"
renox Member since:
2005-07-06

Yes, but usually open source developpers doesn't wait two years before fixing them.

Reply Score: 5

RE[3]: Well
by ronaldst on Tue 17th Oct 2006 12:17 UTC in reply to "RE[2]: Well"
ronaldst Member since:
2005-06-29

@renox

Open source developpers wait for a volunteer to fix the bugs. Which could be between immediately or never. It's the same has in closed source software.

Reply Score: 1

RE: Well
by DrillSgt on Tue 17th Oct 2006 00:46 UTC in reply to "Well"
DrillSgt Member since:
2005-12-02

"That should shut up the people who call anti-blob folks "idealists." Closed code can't be easily audited, and thus can't be trusted."

Actually I don't call anyone idealists. I think Open code is just as bad since me not being a coder, I just have to use it and rely on someone else. Being open means it is easier to slip exploits in. I don't know any of these so called 'Auditors' monitoring the code.

Reply Score: 1

RE[2]: Well
by Soulbender on Tue 17th Oct 2006 02:37 UTC in reply to "RE: Well"
Soulbender Member since:
2005-08-18

"Being open means it is easier to slip exploits in."

No it doesnt but I'm sure someone is happy that there are people who beleive in that FUD.

Reply Score: 5

RE[3]: Well
by DrillSgt on Tue 17th Oct 2006 05:08 UTC in reply to "RE[2]: Well"
DrillSgt Member since:
2005-12-02

""Being open means it is easier to slip exploits in."

No it doesnt but I'm sure someone is happy that there are people who beleive in that FUD."


Well, with closed source only the developers can contribute code to it, and yes it may take a bit longer to fix when something is found. With open source supposedly any one can commit code, unless I am sorely misunderstanding the meaning of community contributions, so an exploit may not even be found for awhile.

Reply Score: 1

RE[4]: Well
by WereCatf on Tue 17th Oct 2006 07:24 UTC in reply to "RE[3]: Well"
WereCatf Member since:
2006-02-15

Well, with closed source only the developers can contribute code to it, and yes it may take a bit longer to fix when something is found. With open source supposedly any one can commit code, unless I am sorely misunderstanding the meaning of community contributions, so an exploit may not even be found for awhile.

Uhh...I don't know of any decent project which allows just about anyone to apply a patch to the source tree..Usually the moderators check the patches and then either accept or reject them. So, if someone wrote a malicious patch, it would get rejected anyway. Sure, someone could download the whole source tree and patch it, but he/she would still not get it spread..Anyway, in essence, while only the developers can contribute code to closed source drivers, in open source model anyone can contribute a patch, but still the devs decide whether it goes in or not..

Reply Score: 2

gustl Member since:
2006-01-19

And it failed miserably.

It all comes down to who you trust. Do you trust all Microsoft employees? Are you sure nobody is including a backdoor in there somewhere? Do you trust the guys around the Linux/Xorg/Gnome/KDE projects?

Each of them uses their own software, so nobody of them wants a backdoor from other developers in his software. They have a clear motivation not to include a backdoor in their code, because all accepted code changes have to be attributable to someone for copyright reasons. The one who tries to include a backdoor knows, that no open source project will ever trust them again. And the likelihood that the backdoor will be found is very high, the code is open so everyone can search it for backdoors!

Reply Score: 1

RE[4]: Well
by Soulbender on Tue 17th Oct 2006 07:56 UTC in reply to "RE[3]: Well"
Soulbender Member since:
2005-08-18

"With open source supposedly any one can commit code"
No, only people granted access to commit code can do so.

Reply Score: 4

RE[4]: Well
by dylansmrjones on Tue 17th Oct 2006 09:04 UTC in reply to "RE[3]: Well"
dylansmrjones Member since:
2005-10-02

You cannot just like that put code into CVS. You can send a submission, but that doesn't mean it is accepted.

Open Source != Uncontrollable

Reply Score: 3

RE[4]: Well
by Morin on Tue 17th Oct 2006 13:50 UTC in reply to "RE[3]: Well"
Morin Member since:
2005-12-31

> Well, with closed source only the developers can contribute code to it,
> and yes it may take a bit longer to fix when something is found. With
> open source supposedly any one can commit code, unless I am sorely
> misunderstanding the meaning of community contributions, so an
> exploit may not even be found for awhile.

Yes, you *are* misunderstanding. Open Source (to some extents), and even more Free Software, mean that anyone can download the software and source code, distribute it, locally modify it, and distribute modifications.

Nothing, really nothing, gives you permision to modify the codebase in the project's repository as you wish. The project maintainers are free to accept your modifications (if you distribute them), but they could just as well ignore them altogether. Finally, a project maintainer who allows anonymous users to commit changes to the repository obviously hasn't learnt the hard way yet. But again, *nothing* in OSS or FS gives you permissions to do that, only stupid maintainers do.

Reply Score: 5

RE[2]: Well
by Redeeman on Tue 17th Oct 2006 06:02 UTC in reply to "RE: Well"
Redeeman Member since:
2006-03-23

easier to slip exploits in, are you joking? you dont think other developers on the project notice if someone throws in a root exploit? and you say you dont know of any auditors, there are LOTS, many distributions do some stuff to the packages before deploying, they look at the code, many end users do too, and often, bugs and security problems gets back upstream because of that.

and you may need to rely on someone, but atleast you know you always will have the ability to actually get it fixed. if suddenly your closedsource vendors decides they dont care, you are simply owned, on the other hand, in the opensource world you may hire others to do the work.

Reply Score: 1

RE[3]: Well
by DrillSgt on Tue 17th Oct 2006 06:19 UTC in reply to "RE[2]: Well"
DrillSgt Member since:
2005-12-02

"and you may need to rely on someone, but atleast you know you always will have the ability to actually get it fixed. if suddenly your closedsource vendors decides they dont care, you are simply owned, on the other hand, in the opensource world you may hire others to do the work."

Agreed to an extent, those are valid points. I have my concerns with both models. Convincing the folks who control the money in a company to go with OpenSource for that reason is like poking yourself in the eye with a sharp stick repeatedly from my experience. This even included having an issue with a Linux box, posting to a news group and having my answer in about 2 hours. They still didn't buy it, go figure.

Reply Score: 2

RE[4]: Well
by ChiliJ on Tue 17th Oct 2006 09:01 UTC in reply to "RE[3]: Well"
ChiliJ Member since:
2005-08-12

I think that says more about the company you're working with rather than the Open Source model.

Reply Score: 2

RE[2]: Well
by rayiner on Tue 17th Oct 2006 22:27 UTC in reply to "RE: Well"
rayiner Member since:
2005-07-06

Why would it be easier to slip exploits into open code? Open source projects only give commit privleges to trusted commiters. Indeed, its probably pretty hard to slip an exploit into a major piece of open source code. You make a commit to the Linux kernel, and tens of thousands of people see the generated changelog message. Unless you're a very trusted commiter, at least a couple of people see the patch too. And all these things are there on the internet, for anyone to look at any time.

In the world of politics, it's called "transparency". When everyone sees what's going on inside, it makes it much harder for somebody to do something wrong.

Reply Score: 1

Open Source Drivers
by tarpit on Mon 16th Oct 2006 23:12 UTC
tarpit
Member since:
2006-10-16

There is always the option of using open source drivrs, no one is forceing anyone to use close source. Only if they want decent 3d.

If would be nice to have more documentation from the vendor so we could get the open source drivers up to speed.

I do see the thier point about giving more information to the competition. On the other hand, if both ATI and NVIDIA disclosed more information, wouldn't it encourage competition in the marketplace.

Reply Score: 4

RE: Open Source Drivers
by Morin on Tue 17th Oct 2006 13:36 UTC in reply to "Open Source Drivers"
Morin Member since:
2005-12-31

> There is always the option of using open source drivrs, no one is
> forceing anyone to use close source. Only if they want decent 3d.

I think it is a bit unrealistic to expect anyone with an nVidia card *not* to want decent 3d features and performance. After all, they have paid a lot of money for their graphics card.

Reply Score: 5

@ tsuraan
by REMF on Mon 16th Oct 2006 23:14 UTC
REMF
Member since:
2006-02-05

while i admire the principle, and even agree with it, i'm not willing to submit myself to the misery of trying to play Gothic 3 on a G965 open source graphics chipset.

Reply Score: 2

RE: @ tsuraan
by Redeeman on Tue 17th Oct 2006 05:57 UTC in reply to "@ tsuraan"
Redeeman Member since:
2006-03-23

if you seriously think that the specifications required to create drivers that supports 3d for nvidia and ati cards puts them at a disadvantage, you are not informed on the subject. the documentation required by us wouldnt even disclose information about their driver optimizations (which are mostly useless to their competitor, as its almost entirely hardware specific).

both ati and nvidia has hugeass budgets and labs to get exactly the information they want from the competitor, they dont need any stinking documentation.

Reply Score: 1

RandomGuy
Member since:
2006-07-30

I can only hope that they create a usable card with open source drivers soon.

It sucks to either have a vulnerable system or be lightyears behind technology and performance wise.
Hate doing it but I'm using Nvidia's driver on my system because of strange (performance?) issues with DVI under the open source driver (can't watch videos without stripes on the screen).
On the other hand the fscking VGA mode gets my screen's resolution _very_ wrong:
As wrong as 800x600 with some 16 colours instead of
1280x1024.
It's not like I'd need some high performance 3d stuff...

So I decided to have a stable distro and and another with blobs for watching videos...

Reply Score: 1

RE[2]: Well
by tsuraan on Tue 17th Oct 2006 00:25 UTC
tsuraan
Member since:
2006-01-16

Yup, it sure can. exploits that can be searched for and fixed on a timely basis, instead of having to wait 2 years for a fix for a remote root vulnerability in a kernel driver.

Of course, I'm still waiting to be able to use Xen with my nvidia card, so maybe I'm just a bit on the pissed-off-at-closed-driver side in general...

Reply Score: 5

RE: @ tsuraan
by tsuraan on Tue 17th Oct 2006 00:28 UTC
tsuraan
Member since:
2006-01-16

Yeah, I use the nvidia drivers. They're the best 3D acceleration for Linux, and I do graphics development, so that's the choice. I'm just waiting to be able to throw money at the OGP ;)

Reply Score: 3

Agree, OGP will be my future
by gustl on Tue 17th Oct 2006 07:52 UTC in reply to "RE: @ tsuraan"
gustl Member since:
2006-01-19

Even if it costs 200 and is half as fast as a ATI or NVidia. Just to know, that there will be no more hassle at install or unfixable bugs makes an excess of 100 worth paying.

I hope OGP will sell in the millions, that would give them enough budget for further development, and maybe NVidia and ATI would finally see that free drivers are a killer feature for us. Loosing most of their Linux market share to OGP over night might tell their upper management the story we could not yell at them loud enough for them to hear.

Reply Score: 1

JMcCarthy Member since:
2005-08-12

>Get a f**king grip - one f**king security hole in 5 years since they started supporting Linux and that too it's been fixed in the beta 9xxx series and the GPL morons get their panties in a twist.

Alleged technical superiority of open source v proprietary is not a claim the FSF actively makes and it is not one Stallman endorses, he has even gone as far as advocating free inferior software. They consider it irrelevant.

I can assure you that "GPL morons" had their "panties in a twist" long before this issue was disclosed, and it has very little to do with security vulnerabilities not only because it's irrelevant to them, but because it doesn't make sense to get all upset about this considering how many vulnerabilities things like the Linux kernel has suffered from.

So really, your issue is with the Eric Raymondism.

Reply Score: 4

Redeeman Member since:
2006-03-23

it may be a rare thing, but we have no way to fix production systems now, so tell me, these freebsd/solaris users, including yourself, you talk about, do you not care about security holes in production? do you simply upgrade to beta quality stuff to get around it? if freebsd suddenly had a security flaw on a critical machine of yours, would you simly pull CVS HEAD and compile if you knew it didnt have the bug?

Reply Score: 1

NotParker Member since:
2006-06-01

Really people, get a grip!. It's not like there haven't been security holes in the Linux kernel before.

Hundreds in the 2.6 kernel alone.

But saying truthful things about the Linux kernel gets you modded down pretty quick!

Reply Score: 0

Cost VS. Risk
by Bit_Rapist on Tue 17th Oct 2006 04:15 UTC
Bit_Rapist
Member since:
2005-11-13

The Risk? That you might be exploited via your video driver.

The Cost? Using half baked open source drivers with poor functionality (not exactly the fault of the open driver writers mind you, nvidia ain't exactly handing out documentation)

I'm thinking if this is fixed, well I'm going to continue running the closed nVidia drivers myself.

sorry but the open source drivers available are just really poor right now, and while I blame that on the graphics chipset manufacturers I also respect their concerns about trade secrets and proprietary IP in the products they produce.

Reply Score: 1

The quick fix, without using "nv"
by directhex on Tue 17th Oct 2006 07:29 UTC
directhex
Member since:
2005-11-16

Option "RenderAccel" "false"

that's the fix for anyone not wanting a) beta drivers or b) no 3D

Reply Score: 5

trinitrotolueen Member since:
2006-10-03

Easy fix.What's all the fuzz about?

I just got a new kernel update:

Linux serpent.virtuall-host.dyn-o-saur.com 2.6.18-1.2200.fc5 #1 SMP Sat Oct 14 16:59:56 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux

The beta nvidia driver runs smooth by the way.

Reply Score: 3

v Stuck between a rock and a hard place...
by Brendan on Tue 17th Oct 2006 07:53 UTC
Greg Kroah-Hartmann is right:
by deb2006 on Tue 17th Oct 2006 08:14 UTC
deb2006
Member since:
2006-06-26

Things like that dangerous blob should definetely be banned from the kernel space. If they run in user space, ok. But I don't want them in the kernel space.

Reply Score: 4

RE: Greg Kroah-Hartmann is right:
by pucko on Tue 17th Oct 2006 07:18 UTC in reply to "Greg Kroah-Hartmann is right:"
pucko Member since:
2006-07-17

Things like that dangerous blob should definetely be banned from the kernel space. If they run in user space, ok. But I don't want them in the kernel space.

What the.. You have a CHOICE you know, you don't have to use it if you don't want to.
Banning is NOT a solution, it only takes away people's ability to choose what they want to run and where.

So Greg is WRONG if he tris to limit my freedom to choose.

Reply Score: 1

Re[5]: Well
by Darkelve on Tue 17th Oct 2006 08:18 UTC
Darkelve
Member since:
2006-02-06

"No, only people granted access to commit code can do do."

And even when they commit code, it's not a given it will also be *accepted* by the decision-makers.

Reply Score: 2

Hardly a surprise
by DevL on Tue 17th Oct 2006 11:11 UTC
DevL
Member since:
2005-07-06

Theo was right. Again.

Reply Score: 5

Maybe...
by Anonymous Penguin on Tue 17th Oct 2006 13:20 UTC
Anonymous Penguin
Member since:
2005-07-06

Maybe it is better that I keep my GMA 950 ;)

Reply Score: 1

Can someone please post how to take over
by stephanem on Tue 17th Oct 2006 16:32 UTC
stephanem
Member since:
2006-01-11

a computer remotely as root using this Nvidia expoit.

Bonus - if you can actually run rm -rf * using this expoit. Seems that any arbitrary code can be run.

Reply Score: 2