Bugtraq mailing list archives
[ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability
From: Raphael Marichez <falco () gentoo org>
Date: Tue, 7 Nov 2006 23:24:18 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NVIDIA binary graphics driver: Privilege escalation vulnerability Date: November 07, 2006 Bugs: #151635 ID: 200611-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The NVIDIA binary graphics driver is vulnerable to a local privilege escalation through an X session. Background ========== The NVIDIA binary graphics driver from NVIDIA Corporation provides the kernel module and the GL modules for graphic acceleration on the NVIDIA based graphic cards. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 x11-drivers/nvidia-drivers < 1.0.8776 >= 1.0.8776 < 1.0-8762 Description =========== Rapid7 reported a boundary error in the NVIDIA binary graphics driver that leads to a buffer overflow in the accelerated rendering functionality. Impact ====== An X client could trigger the buffer overflow with a maliciously crafted series of glyphs. A remote attacker could also entice a user to open a specially crafted web page, document or X client that will trigger the buffer overflow. This could result in the execution of arbitrary code with root privileges or at least in the crash of the X server. Workaround ========== Disable the accelerated rendering functionality in the Device section of xorg.conf : Option "RenderAccel" "false" Resolution ========== NVIDIA binary graphics driver users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-1.0.8776" References ========== [ 1 ] CVE-2006-5379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5379 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
_bin
Description:
Current thread:
- [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Raphael Marichez (Nov 07)
- Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Nick Boyce (Nov 13)
- Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Raphael Marichez (Nov 13)
- Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Nick FitzGerald (Nov 14)
- Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Glynn Clements (Nov 14)
- Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Raphael Marichez (Nov 13)
- Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability Nick Boyce (Nov 13)