NVIDIA Linux Driver 1.0-8776
October 22nd, 2006 by CrusaderNVIDIA has released version 1.0-8776 of their Linux display driver for 32-bit and 64-bit x86 architectures. The main change is a fix for a previously disclosed buffer overflow vulnerability; NVIDIA also has a knowledgebase article about the issue:
In summary, the accurate history of this issue is as follows:
1. NVIDIA was made aware of a problem with our 1.0-8774 driver that caused an X Server crash on July 2006 through a posting on nvnews.net. The problem was not identified as a security risk.
2. We debugged and fixed the issue, and included it, along with many other bug fixes, in the Release 95 series. 1.0-9625 was released on September 21, 2006 as a beta driver on nZone.com http://www.nzone.com/object/nzone_downloads_rel70betadriver.html.
3. We were informed on Monday, October 16th, that the problem posed a security risk. NVIDIA is releasing an updated driver from our stable Release 85 series, 1.0-8776, on Thursday, October 19, 2006, which includes the bug fix.
4. We encourage users of NVIDIA graphics driver version 1.0-8762 or 1.0-8774 to upgrade to 1.0-8776, available here: http://www.nvidia.com/object/unix.html
While we have no record of Rapid7 contacting us prior to their announcement, NVIDIA does provide a technical contact to security firms to inform us of potential security issues. We encourage anyone that has identified what they believe to be a security issue with an NVIDIA driver to directly contact our UNIX Graphics Driver security email alias, unix-security@nvidia.com, to report and evaluate any potential issues prior to publishing a public security advisory.
NVIDIA is committed to providing robust, secure graphics drivers for Linux, Solaris, and FreeBSD. We encourage anyone encountering issues with our driver to work with us through the http://www.nvnews.net forums to help us collect the information needed to investigate and resolve issues in our driver.
We look forward to working with the professional security community in the future to make our driver more robust and secure.
There’s also the README (although that’s not rendering properly for me at the moment).
Download: [ 32-bit | 64-bit ]
October 22nd, 2006 at 4:20 pm
It’s pretty interesting to know that no only did Rapid7 made up this “known since 2004″ bullshit, they never contacted nVidia to actually TELL THEM ABOUT THE SECURITY ISSUE.
Basically Rapid7 took this security issue as an opportunity to spread propaganda about binary modules (or “blobs” in troll-speak) being less secure. HAY LOOK GUYZ NVIDIOT WANTS TO COMPROMISE YOUR SECURITY BECAUSE THEY HAEV BUGZ WE DON’T TELL THEM ABOUT!!1
It’s only a matter of time before nVidia completely gives up on Linux because of this kind of hostile behavior.
October 22nd, 2006 at 4:31 pm
How do you know that Rapid7 made it up?
October 28th, 2006 at 5:29 pm
Hey, what about the legacy driver for older cards? Will it be updated?
October 30th, 2006 at 1:43 pm
That’s what I was wondering, until I looked at prices for GF 4 Ti cards. Then realized an el cheapo 6 or 7 series would likely cost nearly the same, until I came to the conclusion I’d get overcharged. Then I noticed FireGL 8700 for $5 USD makes whole lot more sense for [my] budget, and I’d get 16X AF and xvidix etc. (Hoping AF is still not the lamo LOD hackish effect it was 3 years ago grrR).
Anyway some people may find it interesting to know that games you normally wouldn’t think would run on those “legacy” nvidia cards are quite playable; such as the GF 2 Ultra aka ‘BladeRunner’ I have plays UT2003! lol!
October 30th, 2006 at 1:47 pm
I’ll tell you what’s sad – ‘mainstream’ cards costing 100-150 USD, *that* is what’s sad.
No, noone in their right mind would consider a card with less than 128-bit memory interface to be ‘mainstream’.
Middle class cut right out of the comp sec, wtf?
_meh_