Debian Bug report logs - #668780
pu: package nvidia-graphics-drivers/195.36.31-6squeeze1

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Andreas Beckmann <debian@abeckmann.de>

Date: Sat, 14 Apr 2012 11:00:02 UTC

Severity: normal

Tags: confirmed, pending, squeeze

Fixed in version 6.0.6

Done: Adam D. Barratt <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pkg-nvidia-devel@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Sat, 14 Apr 2012 11:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
New Bug report received and forwarded. Copy sent to pkg-nvidia-devel@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Sat, 14 Apr 2012 11:00:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Sat, 14 Apr 2012 12:57:58 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release managers,

we would like to update the nvidia-graphics-drivers [non-free] package
in squeeze. There are two security patches from NVIDIA to be applied,
but since there is no security support for non-free, we target s-p-u.
Furthermore I updated bug-script and bug-control to collect more useful
information in bug reports.

  * Security fix (backported from 195.36.31-7).  (Closes: #609338)
    Apply upstream patch NVIDIA_kernel-260.19.34-778465.diff to fix
    information leak in the kernel module: kernel memory was returned
    uninitialized to user space.

  * CVE-2012-0946 (backported from 295.40-1):
    Add upstream patch nvidia-blacklist-register-mapping-195.diff:
    Closed a security vulnerability which made it possible for attackers to
    reconfigure GPUs to gain access to arbitrary system memory. For further
    details, see: http://nvidia.custhelp.com/app/answers/detail/a_id/3109

  * Let the bug-script collect detailed information about OpenGL and NVIDIA
    libraries and their symlinks, diversions and alternatives currently found
    on the system.  Also list files remaining from using the nvidia-installer.
    Report status of more related packages.

As a followup to this update the nvidia-graphics-modules package
(prebuilt binary kernel modules) needs to be updated, too.


Andreas
[195.36.31-6squeeze1.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Sat, 14 Apr 2012 12:04:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 14 Apr 2012 12:04:25 GMT) Full text and rfc822 format available.

Message #10 received at 668780@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Andreas Beckmann <debian@abeckmann.de>
Cc: 668780@bugs.debian.org
Subject: Re: Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Sat, 14 Apr 2012 12:59:01 +0100
tags 668780 + squeeze confirmed
thanks

On Sat, 2012-04-14 at 12:57 +0200, Andreas Beckmann wrote:
>   * Security fix (backported from 195.36.31-7).  (Closes: #609338)
>     Apply upstream patch NVIDIA_kernel-260.19.34-778465.diff to fix
>     information leak in the kernel module: kernel memory was returned
>     uninitialized to user space.
> 
>   * CVE-2012-0946 (backported from 295.40-1):
>     Add upstream patch nvidia-blacklist-register-mapping-195.diff:
>     Closed a security vulnerability which made it possible for attackers to
>     reconfigure GPUs to gain access to arbitrary system memory. For further
>     details, see: http://nvidia.custhelp.com/app/answers/detail/a_id/3109
> 
>   * Let the bug-script collect detailed information about OpenGL and NVIDIA
>     libraries and their symlinks, diversions and alternatives currently found
>     on the system.  Also list files remaining from using the nvidia-installer.
>     Report status of more related packages.

Thanks for working on fixing this in stable.  fwiw, "-6+squeeze1" is
more conventional, although it's unlikely to make a difference in this
case.  Please feel free to go ahead with the upload.

Are the n-g-d-legacy-* packages likely to be affected by these issues as
well?

> As a followup to this update the nvidia-graphics-modules package
> (prebuilt binary kernel modules) needs to be updated, too.

Okay.  Please could you open a second bug for that?

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 14 Apr 2012 12:04:33 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Thu, 19 Apr 2012 09:59:51 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 19 Apr 2012 09:59:52 GMT) Full text and rfc822 format available.

Message #17 received at 668780@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 668780@bugs.debian.org, Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Subject: Re: Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Thu, 19 Apr 2012 11:00:43 +0200
On 2012-04-14 13:59, Adam D. Barratt wrote:
> Thanks for working on fixing this in stable.  fwiw, "-6+squeeze1" is
> more conventional, although it's unlikely to make a difference in this
> case.  Please feel free to go ahead with the upload.

I'm not exactly sure whether the nvidia-graphics-modules packages in
squeeze would work with "-6+squeeze1", but it does work with "-6squeeze1".

I'm hesitating with an upload because Nvidia recommends not to use the
patch for a lot of older GPUs due to regressions:

http://www.nvnews.net/vbulletin/showthread.php?t=178460

  *** Please do not use 295.40 or the security patch with GeForce 6, 7
      or 8800GTX/GTS cards ***
  We have been made aware of an interaction problem between the fix
  contained in the newest release any any card with a chip older than
  G80, inclusive. This includes the full GeForce 6 and 7 series as well
  as GeForce 8800GTX and first-gen 8800GTS. We are actively working on
  resolving this issue and will provide an update as soon as possible.
  The symptoms can include graphical corruption, performance issues,
  crashes and temporary hangs.
  The release should be perfectly safe to use with more recent cards
  than that; I'll update this thread ASAP.

The driver in squeeze-backports has been patched to fix this issue and
may be an option for users of the newer cards.
There are several further regressions in the driver version in
testing/unstable (295.40 as well as its 290.xx/295.xx predecessors),
therefore squeeze-backports is still at 275.xx.

> Are the n-g-d-legacy-* packages likely to be affected by these issues as
> well?

The 173xx driver should be affected as it supports several CUDA/vdpau
capable cards, although owners of these cards should be using a newer
driver instead ...

96xx series should be save.


Andreas

PS: will I be able to do the upload myself or does it need to be
sponsored? I'm DM and have DMUA in the packages in sid, but there are a
few transitional packages in squeeze that are no longer built.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Mon, 23 Apr 2012 05:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 23 Apr 2012 05:15:03 GMT) Full text and rfc822 format available.

Message #22 received at 668780@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Andreas Beckmann <debian@abeckmann.de>, 668780@bugs.debian.org
Cc: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Subject: Re: Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Mon, 23 Apr 2012 06:09:20 +0100
On Thu, 2012-04-19 at 11:00 +0200, Andreas Beckmann wrote:
> On 2012-04-14 13:59, Adam D. Barratt wrote:
> > Thanks for working on fixing this in stable.  fwiw, "-6+squeeze1" is
> > more conventional, although it's unlikely to make a difference in this
> > case.  Please feel free to go ahead with the upload.
> 
> I'm not exactly sure whether the nvidia-graphics-modules packages in
> squeeze would work with "-6+squeeze1", but it does work with "-6squeeze1".

I didn't immediately spot a reason why it shouldn't, but you know the
package better, so okay.

> I'm hesitating with an upload because Nvidia recommends not to use the
> patch for a lot of older GPUs due to regressions:
> 
> http://www.nvnews.net/vbulletin/showthread.php?t=178460

Yay. :-/

> PS: will I be able to do the upload myself or does it need to be
> sponsored? I'm DM and have DMUA in the packages in sid, but there are a
> few transitional packages in squeeze that are no longer built.

I think it works, as long as the latest unstable/experimental upload has
the flag set.  There's one way to find out for sure... ;-)

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Sat, 16 Jun 2012 14:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 16 Jun 2012 14:33:03 GMT) Full text and rfc822 format available.

Message #27 received at 668780@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Andreas Beckmann <debian@abeckmann.de>, 668780@bugs.debian.org
Cc: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Subject: Re: Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Sat, 16 Jun 2012 15:27:29 +0100
On Thu, 2012-04-19 at 11:00 +0200, Andreas Beckmann wrote:
> I'm hesitating with an upload because Nvidia recommends not to use the
> patch for a lot of older GPUs due to regressions:
> 
> http://www.nvnews.net/vbulletin/showthread.php?t=178460
> 
>   *** Please do not use 295.40 or the security patch with GeForce 6, 7
>       or 8800GTX/GTS cards ***
[...]
>   The symptoms can include graphical corruption, performance issues,
>   crashes and temporary hangs.
>   The release should be perfectly safe to use with more recent cards
>   than that; I'll update this thread ASAP.

I see that the package has now appeared in p-u-NEW.  Does this mean that
the above issue was resolved, or that you decided it wasn't an issue
after all?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Sat, 16 Jun 2012 15:09:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 16 Jun 2012 15:09:10 GMT) Full text and rfc822 format available.

Message #32 received at 668780@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 668780@bugs.debian.org, Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Subject: Re: Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Sat, 16 Jun 2012 17:06:29 +0200
On 2012-06-16 16:27, Adam D. Barratt wrote:
> On Thu, 2012-04-19 at 11:00 +0200, Andreas Beckmann wrote:
>> I'm hesitating with an upload because Nvidia recommends not to use the
>> patch for a lot of older GPUs due to regressions:
>>
>> http://www.nvnews.net/vbulletin/showthread.php?t=178460

> I see that the package has now appeared in p-u-NEW.  Does this mean that
> the above issue was resolved, or that you decided it wasn't an issue
> after all?

There hasn't been conclusive information on this issue by Nvidia and no
updates have appeared for the security patches.

But there have been regressions found and fixed in 295.49 that affected
the older GeForce 6, 7, etc. cards, but that were unrelated to the
security fix.

So I assume the security fix is OK for the older cards as well (causing
no regressions) and uploaded the package.
Now I'm also preparing an update for nvidia-graphics-drivers-legacy-173xx.


Andreas




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#668780; Package release.debian.org. (Mon, 02 Jul 2012 20:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 02 Jul 2012 20:09:03 GMT) Full text and rfc822 format available.

Message #37 received at 668780@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Andreas Beckmann <debian@abeckmann.de>, 668780@bugs.debian.org
Cc: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Subject: Re: Bug#668780: pu: package nvidia-graphics-drivers/195.36.31-6squeeze1
Date: Mon, 02 Jul 2012 21:04:38 +0100
tag 668780 + pending
thanks

On Sat, 2012-06-16 at 17:06 +0200, Andreas Beckmann wrote:
> On 2012-06-16 16:27, Adam D. Barratt wrote:
> > On Thu, 2012-04-19 at 11:00 +0200, Andreas Beckmann wrote:
> >> http://www.nvnews.net/vbulletin/showthread.php?t=178460
> 
> > I see that the package has now appeared in p-u-NEW.  Does this mean that
> > the above issue was resolved, or that you decided it wasn't an issue
> > after all?
> 
> There hasn't been conclusive information on this issue by Nvidia and no
> updates have appeared for the security patches.
> 
> But there have been regressions found and fixed in 295.49 that affected
> the older GeForce 6, 7, etc. cards, but that were unrelated to the
> security fix.
> 
> So I assume the security fix is OK for the older cards as well (causing
> no regressions) and uploaded the package.

Okay; thanks.  I've just flagged the package for acceptance in to
p-u-NEW; sorry for the delay.

> Now I'm also preparing an update for nvidia-graphics-drivers-legacy-173xx.

How's that going?

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Mon, 02 Jul 2012 20:09:10 GMT) Full text and rfc822 format available.

Marked as fixed in versions 6.0.6. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 29 Sep 2012 14:03:09 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 29 Sep 2012 14:03:10 GMT) Full text and rfc822 format available.

Notification sent to Andreas Beckmann <debian@abeckmann.de>:
Bug acknowledged by developer. (Sat, 29 Sep 2012 14:03:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Oct 2012 07:31:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:42:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.