[Secure-testing-team] Bug#704547: CVE-2013-0131: NVIDIA UNIX GPU Driver ARGB Cursor Buffer Overflow in "NoScanout" Mode.

Andreas Beckmann anbe at debian.org
Tue Apr 2 20:06:05 UTC 2013 

Package: nvidia-glx
Version: 195.36.24-1
Severity: critical
Tags: security
Justification: root security hole

Quoting from

  http://nvidia.custhelp.com/app/answers/detail/a_id/3290

When the NVIDIA driver for the X Window System is operated in
"NoScanout" mode, and an X client installs an ARGB cursor that is larger
than the expected size (64x64 or 256x256, depending on the driver
version), the driver will overflow a buffer. This can cause a denial of
service (e.g., an X server segmentation fault), or could be exploited to
achieve arbitrary code execution. Because the X server runs as setuid
root in many configurations, an attacker could potentially use this
vulnerability in those configurations to gain root privileges.  To
install an ARGB cursor, an application would require a connection to a
running X server. Normally, X servers are configured to only accept
authenticated connections from the local host, but some X servers may be
configured to more permissively allow connections, and/or to allow
connections over a network. 

"NoScanout" mode is enabled implicitly on NVIDIA products which lack
display output connectors, and can be enabled explicitly on some other
configurations with the X configuration option:

Option "UseDisplayDevice" "none"

NVIDIA GPU drivers for OSes other than Linux, FreeBSD, VMware ESX, and
Solaris are not affected.

This vulnerability has been present since NVIDIA driver version 195.22.
The overflow is fixed in 304.88, 310.44, 313.30, and all drivers newer
than those versions.  NVIDIA recommends that users upgrade to a fixed
driver version, or disable NoScanout mode, where possible. 

This vulnerability was identified by NVIDIA. There are no known reports
of exploits of this vulnerability in the wild. 



Vulnerable versions in Debian:

 nvidia-graphics-drivers | 195.36.31-6squeeze2 | squeeze/non-free           | source
 nvidia-graphics-drivers | 295.59-1~bpo60+2    | squeeze-backports/non-free | source
 nvidia-graphics-drivers | 304.64-4            | wheezy/non-free            | source
 nvidia-graphics-drivers | 304.84-1            | sid/non-free               | source
 nvidia-graphics-drivers | 313.26-1            | experimental/non-free      | source

sid and experimental will be fixed by a new upstream versions to be
uploaded later today or tomorrow. No fix will be possible for squeeze
and squeeze-backports (as this is a closed source driver and these
"ancient" versions are no longer supported).


Andreas

More information about the Secure-testing-team mailing list