Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Security update for CVE-2014-8298 (the NVIDIA part of DSA-3095-1)
requires a new upstream version ... I expect as with the previous
updates no DSA will be issued for non-free packages.
The changelog has grown a bit by adding missing ancient history bits.
The UNRELEASED entries have not been folded since the BTS already knows
about these versions and usually gets a bit confused if they disappear
from the history.
conftest.h is a reimplementation of NVIDIA's conftest.sh script (that
does not work reliably on Debian kernel header packages) and is unified
for all driver releases. The changelog mentions the upstream version
where a new test appeared for the first time (often beta releases), but
most of them get backported by NVIDIA to other release branches later
on (but I don't keep detailed track of them).
There is a typo fix in d/copyright that was merged from sid long ago,
but missed in the changelog.
As a followup we also need to update nvidia-graphics-modules once
nvidia-graphics-drivers is in wheezy-pu.
Andreas
Index: debian/module/conftest.h
===================================================================
--- debian/module/conftest.h (.../tags/304.117-1) (revision 5210)
+++ debian/module/conftest.h (.../branches/304) (revision 5210)
@@ -1,4 +1,4 @@
-/* synchronized with conftest.sh from 331.20, 325.15, 319.72, 304.116, 295.75, 173.14.38, 96.43.23, 71.86.15 */
+/* synchronized with conftest.sh from 346.22, 343.36, 340.65, 319.82, 304.125, 173.14.39, 96.43.23, 71.86.15 */
#ifndef LINUX_VERSION_CODE
#include <linux/version.h>
@@ -91,6 +91,13 @@
#undef NV_PCI_GET_DOMAIN_BUS_AND_SLOT_PRESENT
#endif
+/* Implement conftest.sh function pci_save_state */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
+ #define NV_PCI_SAVE_STATE_ARGUMENT_COUNT 1
+#else
+ #define NV_PCI_SAVE_STATE_ARGUMENT_COUNT 2
+#endif
+
/* Implement conftest.sh function remap_pfn_range */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
#define NV_REMAP_PFN_RANGE_PRESENT
@@ -108,6 +115,13 @@
#define NV_AGP_BACKEND_ACQUIRE_ARGUMENT_COUNT 0
#endif
+/* Implement conftest.sh function follow_pfn */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ #define NV_FOLLOW_PFN_PRESENT
+#else
+ #undef NV_FOLLOW_PFN_PRESENT
+#endif
+
/* Implement conftest.sh function vmap */
/* I can not find any released kernel that uses the 2 argument variant */
/* of vmap */
@@ -174,6 +188,14 @@
#undef NV_ACPI_DEVICE_OPS_HAS_MATCH
#endif
+/* Implement conftest.sh function acpi_op_remove */
+/* All versions since 2.6.0 have this, didn't check earlier kernels */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,9,0)
+ #define NV_ACPI_DEVICE_OPS_REMOVE_ARGUMENT_COUNT 1
+#else
+ #define NV_ACPI_DEVICE_OPS_REMOVE_ARGUMENT_COUNT 2
+#endif
+
/* Implement conftest.sh function acpi_device_id */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
#define NV_ACPI_DEVICE_ID_HAS_DRIVER_DATA
@@ -182,8 +204,6 @@
#endif
/* Implement conftest.sh function acquire_console_sem */
-// 2.6.38 renamed {acquire,release}_console_sem() to console_{,un}lock()
-// but NVIDIA neither checks for these new names nor uses them
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,10) && \
LINUX_VERSION_CODE < KERNEL_VERSION(2,6,38)
#define NV_ACQUIRE_CONSOLE_SEM_PRESENT
@@ -191,6 +211,13 @@
#undef NV_ACQUIRE_CONSOLE_SEM_PRESENT
#endif
+/* Implement conftest.sh function console_lock */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38)
+ #define NV_CONSOLE_LOCK_PRESENT
+#else
+ #undef NV_CONSOLE_LOCK_PRESENT
+#endif
+
/* Implement conftest.sh function kmem_cache_create */
/* Only kernels sometime before 2.4.0 don't have this function, and who */
/* cares anymore */
@@ -361,7 +388,7 @@
#endif
/* Implement conftest.sh function drm_available */
-#if 0
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,9,0) && IS_ENABLED(CONFIG_DRM)
#define NV_DRM_AVAILABLE
#else
#undef NV_DRM_AVAILABLE
@@ -401,7 +428,26 @@
#else
#undef NV_VM_OPERATIONS_STRUCT_HAS_FAULT
#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
+ #define NV_VM_OPERATIONS_STRUCT_HAS_ACCESS
+#else
+ #undef NV_VM_OPERATIONS_STRUCT_HAS_ACCESS
+#endif
+/* Implement conftest.sh function fault_flags */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
+ #define NV_FAULT_FLAG_PRESENT
+#else
+ #undef NV_FAULT_FLAG_PRESENT
+#endif
+
+/* Implement conftest.sh function atomic64_type */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ #define NV_ATOMIC64_PRESENT
+#else
+ #undef NV_ATOMIC64_PRESENT
+#endif
+
/* Implement conftest.sh function task_struct */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,29)
#define NV_TASK_STRUCT_HAS_CRED
@@ -424,6 +470,53 @@
#undef NV_ADDRESS_SPACE_INIT_ONCE_PRESENT
#endif
+/* Implement conftest.sh function kbasename */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,8,0)
+ #define NV_KBASENAME_PRESENT
+#else
+ #undef NV_KBASENAME_PRESENT
+#endif
+
+/* Implement conftest.sh function fatal_signal_pending */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
+ #define NV_FATAL_SIGNAL_PENDING_PRESENT
+#else
+ #undef NV_FATAL_SIGNAL_PENDING_PRESENT
+#endif
+
+/* Implement conftest.sh function kuid_t */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,5,0)
+ #define NV_KUID_T_PRESENT
+#else
+ #undef NV_KUID_T_PRESENT
+#endif
+
+/* Implement conftest.sh function pm_vt_switch_required */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,10,0)
+ #define NV_PM_VT_SWITCH_REQUIRED_PRESENT
+#else
+ #undef NV_PM_VT_SWITCH_REQUIRED_PRESENT
+#endif
+
+/* Implement conftest.sh function sg_table */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
+ #define NV_SG_TABLE_PRESENT
+#else
+ #undef NV_SG_TABLE_PRESENT
+#endif
+
+/* Implement conftest.sh function sg_alloc_table */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
+ #define NV_SG_ALLOC_TABLE_PRESENT
+#else
+ #undef NV_SG_ALLOC_TABLE_PRESENT
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,6,0)
+ #define NV_SG_ALLOC_TABLE_FROM_PAGES_PRESENT
+#else
+ #undef NV_SG_ALLOC_TABLE_FROM_PAGES_PRESENT
+#endif
+
/* Implement conftest.sh function sg_init_table */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
#define NV_SG_INIT_TABLE_PRESENT
@@ -446,12 +539,19 @@
#endif
/* Check for drm/drmP.h */
-#if 1
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
#define NV_DRM_DRMP_H_PRESENT
#else
#undef NV_DRM_DRMP_H_PRESENT
#endif
+/* Check for drm/drm_gem.h */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,18,0)
+ #define NV_DRM_DRM_GEM_H_PRESENT
+#else
+ #undef NV_DRM_DRM_GEM_H_PRESENT
+#endif
+
/* Check for generated/autoconf.h */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,33)
#define NV_GENERATED_AUTOCONF_H_PRESENT
Index: debian/module/debian/patches/use-nv-kernel.o.ARCH.patch
===================================================================
--- debian/module/debian/patches/use-nv-kernel.o.ARCH.patch (.../tags/304.117-1) (revision 5210)
+++ debian/module/debian/patches/use-nv-kernel.o.ARCH.patch (.../branches/304) (revision 5210)
@@ -5,16 +5,14 @@
makes the build system select the correct one depending on the kernel
architecture the module is built for.
-Index: b/Makefile.kbuild
-===================================================================
---- a/Makefile.kbuild 2011-12-22 10:20:25.000000000 +0100
-+++ b/Makefile.kbuild 2012-01-02 19:05:47.959041768 +0100
-@@ -43,7 +43,7 @@
+--- a/Makefile.kbuild
++++ b/Makefile.kbuild
+@@ -43,7 +43,7 @@ VERSION_HEADER := nv_compiler.h
# understands that we want a module.
#
-CORE_OBJS := nv-kernel.o
+CORE_OBJS := nv-kernel.o$(NVARCH)
- RESMAN_GLUE_OBJS := $(patsubst %.c,%.o,nv.c nv-acpi.c nv-chrdev.c nv-cray.c nv-gvi.c nv-i2c.c nv-mempool.c nv-mlock.c nv-mmap.c nv-p2p.c nv-pat.c nv-procfs.c nv-usermap.c nv-vm.c nv-vtophys.c os-agp.c os-interface.c os-mtrr.c os-registry.c os-smp.c os-usermap.c)
+ RESMAN_GLUE_OBJS := $(patsubst %.c,%.o,nv.c nv-acpi.c nv-chrdev.c nv-cray.c nv-drm.c nv-gvi.c nv-i2c.c nv-mempool.c nv-mlock.c nv-mmap.c nv-p2p.c nv-pat.c nv-procfs.c nv-usermap.c nv-vm.c nv-vtophys.c os-agp.c os-interface.c os-mtrr.c os-registry.c os-smp.c os-usermap.c)
$(MODULE_NAME)-objs := $(CORE_OBJS) $(RESMAN_GLUE_OBJS)
Index: debian/copyright
===================================================================
--- debian/copyright (.../tags/304.117-1) (revision 5210)
+++ debian/copyright (.../branches/304) (revision 5210)
@@ -28,7 +28,7 @@
© 2011-2013 Andreas Beckmann <a...@debian.org>
License: GPL-2.0+
-Files: debian/modules/debian/patches/*
+Files: debian/module/debian/patches/*
Copyright: no copyright notice, see License
License: anbe-public-domain
The authors hereby relinquish any claim to any copyright that they may
Index: debian/changelog
===================================================================
--- debian/changelog (.../tags/304.117-1) (revision 5210)
+++ debian/changelog (.../branches/304) (revision 5210)
@@ -1,3 +1,73 @@
+nvidia-graphics-drivers (304.125-1) wheezy; urgency=medium
+
+ * New upstream legacy 304xx branch release 304.125 (2014-12-05).
+ * Fixes CVE-2014-8298. (Closes: #772971)
+ - Added support for X.Org xserver ABI 19 (xorg-server 1.17).
+ - Improved compatibility with recent Linux kernels.
+ - Implemented support for disabling indirect GLX context creation using
+ the -iglx option available on X.Org server release 1.16 and newer. Note
+ that future X.Org server releases may make the -iglx option the default.
+ To re-enable support for indirect GLX on such servers, use the +iglx
+ option.
+ - Added the "AllowIndirectGLXProtocol" X config option. This option can
+ be used to disallow use of GLX protocol. See "Appendix B. X Config
+ Options" in the README for more details.
+ * Refresh patches.
+ * Add xorg-video-abi-19, xorg-video-abi-18 as alternative dependencies.
+ * conftest.h:
+ - Implement new conftest.sh function acpi_op_remove (304.123).
+ - Implement new conftest.sh functions kbasename, fatal_signal_pending
+ (331.38).
+ - Implement new conftest.sh function kuid_t (331.49).
+ - Implement new conftest.sh function pm_vt_switch_required (331.67).
+ - Implement new conftest.sh function console_lock (331.79).
+ - Tighten check for drm/drmP.h.
+ - DRM is only supported on Linux >= 3.9.
+ - Implement new conftest.sh functions sg_table, sg_alloc_table (340.46).
+ - Implement extensions to conftest.sh function vm_operations_struct
+ (343.13).
+ - Implement check for drm/drm_gem.h (340.58).
+ - Implement new conftest.sh functions pci_save_state (340.58), follow_pfn,
+ fault_flags, atomic64_type (346.16).
+ * Add changelog entries from etch and squeeze updates.
+
+ -- Andreas Beckmann <a...@debian.org> Sat, 13 Dec 2014 18:26:09 +0100
+
+nvidia-graphics-drivers (304.123-1) UNRELEASED; urgency=medium
+
+ * New upstream legacy 304xx branch release 304.123 (2014-07-10).
+ - Improved compatibility with recent Linux kernels.
+ - Fixed a bug that could result in system instability while restoring
+ the VGA console.
+ - Fixed an interaction problem with xserver 1.15 that occasionally caused
+ OpenGL applications to continue rendering when they are minimized or
+ unmapped.
+ - Updated nvidia-bug-report.sh to search the systemd journal for X
+ server logs and messages from the NVIDIA kernel module.
+ - Added support for X.org xserver ABI 18 (xorg-server 1.16).
+ - Fixed a bug that caused corruption or blank screens on monitors that use
+ EDID version 1.3 or older when they are connected via DisplayPort on
+ graphics boards that use external DisplayPort encoders, such as the Quadro
+ FX 4800.
+
+ -- Andreas Beckmann <a...@debian.org> Sun, 28 Sep 2014 20:46:10 +0200
+
+nvidia-graphics-drivers (304.121-1) UNRELEASED; urgency=medium
+
+ * New upstream legacy 304xx branch release 304.121 (2014-03-11).
+ - Improved compatibility with recent Linux kernels.
+ - Fixed a bug that prevented the NVIDIA implementation of the Xinerama
+ extension protocol requests from being used when RandR was enabled.
+
+ -- Andreas Beckmann <a...@debian.org> Tue, 22 Apr 2014 02:02:57 +0200
+
+nvidia-graphics-drivers (304.119-1) UNRELEASED; urgency=medium
+
+ * New upstream legacy 304xx branch release 304.119 (2014-01-23).
+ - Fixed a crash when using WebGL in Firefox with a Geforce 6 GPU.
+
+ -- Andreas Beckmann <a...@debian.org> Sat, 15 Feb 2014 16:49:54 +0100
+
nvidia-graphics-drivers (304.117-1) wheezy; urgency=medium
* New upstream legacy 304xx branch release 304.117 (2013-12-11).
@@ -80,7 +150,7 @@
- Fixed font rendering performance and corruption problems on X servers with
backported support for the new glyph cache functionality added to Pixman
0.27.
- - Fixed a potential X server crash during initialization, when a
+ - Fixed a potential X server crash during initialization, when a
graphics card with a TV connector has no TV connected.
- Added a new X configuration option, "UseHotplugEvents", to allow the
suppression of RandR events when adding or removing non-DisplayPort
@@ -104,6 +174,12 @@
-- Andreas Beckmann <a...@debian.org> Fri, 15 Mar 2013 11:23:39 +0100
+nvidia-graphics-drivers (304.64-5) UNRELEASED; urgency=low
+
+ * Dummy.
+
+ -- Andreas Beckmann <a...@debian.org> Fri, 15 Mar 2013 11:23:39 +0100
+
nvidia-graphics-drivers (304.64-4) unstable; urgency=low
* nvidia-detect: Fix detection of Debian 7.0 (wheezy). (Closes: #697282)
@@ -1992,6 +2068,33 @@
-- Andreas Beckmann <deb...@abeckmann.de> Tue, 22 Feb 2011 20:35:45 +0000
+nvidia-graphics-drivers (195.36.31-6squeeze2) stable-proposed-updates; urgency=low
+
+ * CVE-2012-4225. (Closes: #684781)
+ Add upstream patch nvidia-blacklist-vga-pmu-registers-195.diff:
+ Fix exploitable local privilege escalation through VGA window manipulation
+ via the device nodes that allows access to arbitrary physical memory.
+
+ -- Andreas Beckmann <deb...@abeckmann.de> Fri, 17 Aug 2012 00:43:36 +0200
+
+nvidia-graphics-drivers (195.36.31-6squeeze1) stable-proposed-updates; urgency=medium
+
+ * Security fix (backported from 195.36.31-7). (Closes: #609338)
+ Apply upstream patch NVIDIA_kernel-260.19.34-778465.diff to fix
+ information leak in the kernel module: kernel memory was returned
+ uninitialized to user space.
+ * CVE-2012-0946 (backported from 295.40-1):
+ Add upstream patch nvidia-blacklist-register-mapping-195.diff:
+ Closed a security vulnerability which made it possible for attackers to
+ reconfigure GPUs to gain access to arbitrary system memory. For further
+ details, see: http://nvidia.custhelp.com/app/answers/detail/a_id/3109
+ * Let the bug-script collect detailed information about OpenGL and NVIDIA
+ libraries and their symlinks, diversions and alternatives currently found
+ on the system. Also list files remaining from using the nvidia-installer.
+ Report status of more related packages.
+
+ -- Andreas Beckmann <deb...@abeckmann.de> Fri, 15 Jun 2012 11:40:37 +0200
+
nvidia-graphics-drivers (195.36.31-6) unstable; urgency=low
[ Andreas Beckmann ]
@@ -2940,6 +3043,25 @@
-- Randall Donald <rdon...@debian.org> Sat, 23 Sep 2006 11:29:28 -0700
+nvidia-graphics-drivers (1.0.8776-4) unstable; urgency=high
+
+ * Add patch for compiling against 2.6.19. (closes: #401201, #402000)
+
+ -- Randall Donald <rdon...@debian.org> Thu, 4 Jan 2007 20:18:03 -0800
+
+nvidia-graphics-drivers (1.0.8776-3) unstable; urgency=low
+
+ * rm libGL.so created by init script. (closes: #400129)
+
+ -- Randall Donald <rdon...@debian.org> Sun, 3 Dec 2006 17:55:23 -0800
+
+nvidia-graphics-drivers (1.0.8776-2) unstable; urgency=low
+
+ * Check for compiler existance (closes: #319544)
+ * remove old nvidia-glx-dev.links lines (closes: #398677)
+
+ -- Randall Donald <rdon...@debian.org> Sat, 18 Nov 2006 21:07:46 -0800
+
nvidia-graphics-drivers (1.0.8776-1) unstable; urgency=medium
* New upstream.
Index: debian/rules.defs
===================================================================
--- debian/rules.defs (.../tags/304.117-1) (revision 5210)
+++ debian/rules.defs (.../branches/304) (revision 5210)
@@ -2,8 +2,8 @@
#NVIDIA_LEGACY =
WATCH_VERSION = 304
-XORG_ABI_LIST = 15 14 13 12 11 10 8 6.0
-XORG_BOUND = (<< 2:1.15.99)
+XORG_ABI_LIST = 19 18 15 14 13 12 11 10 8 6.0
+XORG_BOUND = (<< 2:1.17.99)
NVIDIA_DIRNAME_X86 = NVIDIA-Linux-x86-${NVIDIA_RELEASE}
NVIDIA_DIRNAME_X86_64 = NVIDIA-Linux-x86_64-${NVIDIA_RELEASE}
