Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3418-1 nvidia-graphics-drivers-legacy-390xx

Debian Security Advisory

DLA-3418-1 nvidia-graphics-drivers-legacy-390xx -- LTS security update

Date Reported:

11 May 2023

Affected Packages:

nvidia-graphics-drivers-legacy-390xx

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1025281.
In Mitre's CVE dictionary: CVE-2022-34670, CVE-2022-34674, CVE-2022-34675, CVE-2022-34677, CVE-2022-34680, CVE-2022-42257, CVE-2022-42258, CVE-2022-42259.

More information:

NVIDIA has released a software security update for the NVIDIA GPU Display Driver R390 linux driver branch. This update addresses issues that may lead to denial of service, escalation of privileges, information disclosure, data tampering or undefined behavior.

• CVE-2022-34670

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.

• CVE-2022-34674

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak.

• CVE-2022-34675

  NVIDIA Display Driver for Linux contains a vulnerability in the Virtual GPU Manager, where it does not check the return value from a null-pointer dereference, which may lead to denial of service.

• CVE-2022-34677

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering.

• CVE-2022-34680

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service.

• CVE-2022-42257

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service.

• CVE-2022-42258

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure.

• CVE-2022-42259

  NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service.

For Debian 10 buster, these problems have been fixed in version 390.157-1~deb10u1.

We recommend that you upgrade your nvidia-graphics-drivers-legacy-390xx packages.

For the detailed security status of nvidia-graphics-drivers-legacy-390xx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nvidia-graphics-drivers-legacy-390xx

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS