A new nVIDIA display driver has been released which fixes the exploit reported last week. The driver was vulnerable to a buffer overflow that allowed an attacker to run arbitrary code as root. This bug could be exploited both locally as well as remotely (via a remote X client or an X client which visits a malicious web page).
Driver fixed in a week, and in fact the beta of it with the exploit patched was there before the announcement of the vulnerability. Not bad for closed source eh?
Indeed. I strongly prefer OSS. But credit where credit is due is a good policy.
I have a number of complaints about NVidia’s policies. But I must admit that their support for Linux is first class.
Driver fixed in a week, and in fact the beta of it with the exploit patched was there before the announcement of the vulnerability. Not bad for closed source eh?
Really?
From kerneltrap
“the link in the advisory is the earliest thread in which we could find an NVIDIA employee publicly acknowledging the bug, although it was reported back in 2004 and has probably existed even longer.”
Meaning, there’s no bug if they don’t aknowledge it. And working exploit existed too. Just close your eyes.
Pisspoor job if you ask me.
“Really?
From kerneltrap
“the link in the advisory is the earliest thread in which we could find an NVIDIA employee publicly acknowledging the bug, although it was reported back in 2004 and has probably existed even longer.””
Actually the original bug was with XFree86/XOrg back then if you read up on it. The same situation was reported with non Nvidia cards as well.
Nvidia was first alerted to this problem in 2004, and publicly acknowledged that it existed in July. Last week someone published an exploit that anyone could run, probably as a way to force nVidia to finally deal with the problem. See http://download2.rapid7.com/r7-0025/
This is not a prompt response. Often a closed source vendor denies the severity of a problem until a full exploit is published, and this head-in-the-sand attitude hurts everyone.
maybe you should also take a look here:
http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/std_adp.p…
“””Nvidia was first alerted to this problem in 2004″””
That turned out not to be true.
http://lists.freedesktop.org/archives/xorg/2006-October/018943.html
Edited 2006-10-23 23:22
You people make a big deal about a single exploit in proprietary drivers yet ignore the hundreds of Linux (kernel) security advisories that appear each year?
Granted, they are fixed in record time but still are vulnerabilities none the less.
Time to get real folks!
People will forget that this bug is not associated with the one from 2004 and some will continue to argue, months from now, that nvidia had an unsafe driver for 2 years with awareness of the security problem.
From nvidia answers:
“NVIDIA can confirm that this bug is only present in the NVIDIA UNIX Graphics drivers 1.0-8762 and 1.0-8774, and is fixed starting with 1.0-8776. Also, this bug is not present in driver versions older than 1.0-8762. For example, versions 1.0-8178 or 1.0-7184 are not affected by this bug.
There is some confusion between this NVIDIA driver bug and a previously fixed core XFree86/X.Org server bug. This confusion mistakenly led the security advisory to the conclusion that the NVIDIA driver bug was reported and known as early as 2004.”