NVIDIA has released version 1.0-8776 of their Linux display driver for 32-bit and 64-bit x86 architectures. The main change is a fix for a previously disclosed buffer overflow vulnerability; NVIDIA also has a knowledgebase article about the issue:
In summary, the accurate history of this issue is as follows:
1. NVIDIA was made aware of a problem with our 1.0-8774 driver that caused an X Server crash on July 2006 through a posting on nvnews.net. The problem was not identified as a security risk.
2. We debugged and fixed the issue, and included it, along with many other bug fixes, in the Release 95 series. 1.0-9625 was released on September 21, 2006 as a beta driver on nZone.com http://www.nzone.com/object/nzone_downloads_rel70betadriver.html.
3. We were informed on Monday, October 16th, that the problem posed a security risk. NVIDIA is releasing an updated driver from our stable Release 85 series, 1.0-8776, on Thursday, October 19, 2006, which includes the bug fix.
4. We encourage users of NVIDIA graphics driver version 1.0-8762 or 1.0-8774 to upgrade to 1.0-8776, available here: http://www.nvidia.com/object/unix.html
While we have no record of Rapid7 contacting us prior to their announcement, NVIDIA does provide a technical contact to security firms to inform us of potential security issues. We encourage anyone that has identified what they believe to be a security issue with an NVIDIA driver to directly contact our UNIX Graphics Driver security email alias, firstname.lastname@example.org, to report and evaluate any potential issues prior to publishing a public security advisory.
NVIDIA is committed to providing robust, secure graphics drivers for Linux, Solaris, and FreeBSD. We encourage anyone encountering issues with our driver to work with us through the http://www.nvnews.net forums to help us collect the information needed to investigate and resolve issues in our driver.
We look forward to working with the professional security community in the future to make our driver more robust and secure.