It's already fixed

Story: Root exploit found in binary NVIDIA driverTotal Replies: 40
Author Content
herzeleid

Oct 17, 2006
7:16 AM EDT
We didn't have to wait long for nvidia. The 1.0-9626 driver, which I'm currently using, has the fix.

Let me play devil's advocate for a moment. Let's say that this particular vulnerability is due to the closed nature of the nvidia driver. So then, what is the reason for all the vulnerabilities that we have seen in OSS software to date?
salparadise

Oct 17, 2006
8:11 AM EDT
I cant see a link on the nvidia site to that build number. This is the 2nd time I´ve heard of this 9626 version and yet the nvidia site has 8774 as the ¨latest version¨.

Can you post a link please?

jdixon

Oct 17, 2006
8:20 AM EDT
It looks like it may be on their archive page:

http://www.nvidia.com/object/linux_display_archive.html
wind0wsr3fund

Oct 17, 2006
8:24 AM EDT
This is classic.
herzeleid

Oct 17, 2006
8:30 AM EDT
It's technically a beta driver, but it has been solid for me - I found out about it a few weeks ago on the linux gamers website. The download is here:

ftp://download.nvidia.com/XFree86/Linux-x86/1.0-9626/
tuxchick2

Oct 17, 2006
8:30 AM EDT
herzeleid, all software has vulnerabilities. (Of course, the severity varies a lot, which the analists and other dimwitted life-forms can't seem to grasp.) OSS is up-front about them and gets them fixed. Certain illegal monopolists and other closed-source proprietary vendors are not, and it takes outside pressure to get them to admit to problems, and then you can still die of old age waiting for a fix.

I'm hoping that NVidia gets tired of having to carry the load all by themselves and releases their drivers under an OSS license. They are responsive, but it has to be taking a fair amount of effort and resources.
jdixon

Oct 17, 2006
8:50 AM EDT
> They are responsive, but it has to be taking a fair amount of effort and resources.

So, if this bug exists in the Linux binary blob, and NVidia insists that their drivers have the same codebase, does it also exist in Windows?
dinotrac

Oct 17, 2006
8:51 AM EDT
TC -

Agree 100%.

I do appreciate that nVidia creates a good driver for linux. That's so much more than some do. However, their core business is hardware. Offloading driver development to x.org or whomever should be a no-brainer.
herzeleid

Oct 17, 2006
8:52 AM EDT
Quoting: tuxchick: herzeleid, all software has vulnerabilities.
Very true, and as you say, one has to take into account the actual scope and degree of vulnerability, rather than lumping all shapes and sizes of vulnerability together as certain "IT Pundits" tend to do.

FWIW, I'm reminded of a computer science theorem: Since all programs have bugs, and all programs can be reduced in size, it follows logically that any program can be reduced to a single line of code, containing a bug.
tuxchick2

Oct 17, 2006
9:25 AM EDT
Hmm, I dug into this a bit more deeply, and I am unimpressed by the lack of information on NVidia.com; in fact that's just plain bogus. I don't see a single word discussing the vulnerability or what users need to do to fix it. Additionally, several sources claim this has been known for a couple of years, but NVidia wouldn't do anything about it. Big black eye to NVidia.

According to Kerneltrap, http://kerneltrap.org/node/7228, no known systems have actually been compromised. Check out the Kerneltrap link for a lot of good information.

NVidia's lack of openness and information on this is seriously lame.

herzeleid

Oct 17, 2006
10:10 AM EDT
Quoting: tuxchick: According to Kerneltrap, [HYPERLINK@kerneltrap.org] no known systems have actually been compromised. Check out the Kerneltrap link for a lot of good information.
No actual systems compromised. The potential vulnerability has been fixed in the 1.0-9xxx series. Doesn't seem like much of a black eye...
tuxchick2

Oct 17, 2006
10:30 AM EDT
It doesn't? Do you think NVidia is deserving of praise for their complete silence on this vulnerability? I think it's one more reason to tell them to take a hike. How can you trust them?

herzeleid

Oct 17, 2006
11:17 AM EDT
Quoting: tuxchick: Do you think NVidia is deserving of praise for their complete silence on this vulnerability? I think it's one more reason to tell them to take a hike. How can you trust them?
Gosh, you seem angry. I'm going to wait and see what nvidia says about it.

If you look at the details of the exploit, you see it takes a skilled attacker with a full local shell account, compiler, and time on his hands. Pretty low on the danger scale compared to say, a vulnerability that allows an anonymous connection from a remote host to access or bring down the system.

The beauty of it is, you are free to tell nvidia to take a hike, if that's what floats your boat, and more power to you. And I'm just as free to keep them around. And seeing as how I'm sort of partial to these sexy 3D graphics, I'm not really considering dumping my nvidia card or drivers.

tuxchick2

Oct 17, 2006
11:34 AM EDT
I'm a bit exasperated because you sound like a fanboi who thinks NVidia can do no wrong :). If NVidia isn't going to post bulletins and tell how to get bug and security fixes, how can we trust them? Getting this information from third parties is bush-league. I don't see one single word on their site about security issues- how can you give them a pass on such a fundamental issue? I think trustworthy vendors are more sexy than whatever tarted-up products they're offering. :)

jimf

Oct 17, 2006
12:04 PM EDT
Just a few disturbing thoughts stemming from this.

There is nothing more important to the Linux desktop than the basic video system, Without that we're back to greenscreen and text based. Video card OEM's have traditionally, and increasingly hindered the growth and even the technical advancement in Linux. I'm not a GPLv3 advocate, but this is one case that really highlights the problem more than any other. It's been with us since the beginning.

Only a few years ago, there were a slew of graphic card choices. Because of the competition, at least some of those were willing to release information on their cards, or at least supply Linux drivers. No longer. We now pretty much have a two party monopoly now, and they happen to be the two than have really bad reputations for driver stability, even in Windows.

Don't tell me Windows driver's aren't buggy, I dealt with ATI 'catalyst' drivers for years, and they always had bugs. My friends, running NVidia, experienced much the same. In Windows, The peaky hardware and alpha level driver instability have basically been caused by the gamer fanboy mentality. That's resulted in a very lucrative market for the two OEMs, but questionable stability and security for everyone. With that record, why are we surprise at bugs in the Linux version.

It also makes the Linux market a very secondary concern. OEM's continue to release mediocre (and buggy) drivers for Linux at their leisure. I fail to see how this situation will change anytime in the near future, unless Intel comes through on their promise.

It now appears that Intel wants to get into the game. More than likely that will be an uphill battle, so, they obviously want to maximize their market base. It 'looks like' they see the possibilities in the Linux market. Intel has promised to supply open source drivers for their new cards. 'If' they follow through with this, It may encourage the other OEMs to do likewise. I wouldn't hold my breath on that, but worst case, we'll have at least one OEM derived open source driver. But, remember that, so far, there has been no release of actual cards from Intel.
Sander_Marechal

Oct 17, 2006
1:56 PM EDT
Actually, Intel is quite a big player in the graphics market - just not in the high-end 3D gamer audience. I'm quite confident that Intel can power a 3D desktop which means only gamers would *need* a proprietry driver + card on Linux.
jimf

Oct 17, 2006
2:18 PM EDT
sander,

Unless you're a fan of Intel MBs, I think, at the moment, you would Need a separate card.

Sander_Marechal

Oct 17, 2006
2:47 PM EDT
True, but up to a year, maybe two ago or so, most PC ads I saw would have Intel integrated graphics on board and not an nVidia or ATI card. You'd have to get a really high-end PC for that. There's a huge ammount on Intel GPU's out there. If anything, I'd say that Intel are trying to prevent loosing market share to cheap low-end nVidia and ATI cards, not "getting into the game".
herzeleid

Oct 17, 2006
2:56 PM EDT
Quoting: tuxchick: I'm a bit exasperated because you sound like a fanboi who thinks NVidia can do no wrong :).
Well tc, I wouldn't call myself an nvidia fanboi, but I am rather a fan of their video hardware and drivers at present. I hear a lot of talk about how horrible nvidia cards are, and then I survey the market and find that not only are nvidia the best cards available at an affordable price, but that they also maintain linux drivers for those cards. What am I to make of those claims that nvidia is the worst? It seems the world is somehow upside down

Make no mistake, I'd love to see a viable FOSS video driver, but with the exception of the old voodoo graphics, and the newer intel stuff, every experience I've had with FOSS OpenGL video drivers has been an absolute, unmitigated disaster. My experience with things like the DRI drivers on ATI cards over the years has made me grateful for the continued availability of the fast, stable nvidia drivers.

Do I pretend nvidia is perfect? Of course not. But there are a lot more serious issues to be addressed in the linux world, than whether nvidia chooses to offload the development of their drivers. Given that they've done a far better job than anyone else so far, it's hard to fault them.
herzeleid

Oct 17, 2006
3:05 PM EDT
Quoting: jdixon: So, if this bug exists in the Linux binary blob, and NVidia insists that their drivers have the same codebase, does it also exist in Windows?
The attack vector in the example exploit is an X11 program, which tells me it could be used to attack linux, freebsd, or solaris.

OTOH ms windoze does not come with X11 by default, but it is said to have the same binary blob behind the platform specific glue code. So it follows that there would be ways to pwn a windoze box through the vulnerability in the blob, but IMHO there are plenty of ways to do that with or without the nvidia driver.
Sander_Marechal

Oct 17, 2006
3:11 PM EDT
The actual bug - a buffer overflow - probably exists on Windows too. What matters is if that overflow can be turned into an exploit. For that to happen, the overflow should write something to a location that later on gets executed - preferably by a process that has root/admin rights. It could be that the same buffer overflow on Windows ends up writing to a memory location where it can't hurt the rest of the system.
jezuch

Oct 17, 2006
3:22 PM EDT
Quoting:I'm hoping that NVidia gets tired of having to carry the load all by themselves and releases their drivers under an OSS license. They are responsive, but it has to be taking a fair amount of effort and resources.


They [NVidia] say that it's too difficult for an OSS community to write drivers for "such a complex device". Yeah.

My favourite theory is that of shame. Their driver workarounds so many hardware bugs that releasing that information to the public would be bordering on a PR catastrophe ;)
jimf

Oct 17, 2006
3:51 PM EDT
> My favourite theory is that of shame. Their driver workarounds so many hardware bugs that releasing that information to the public would be bordering on a PR catastrophe ;)

That may be a good point, both with NVidia and ATI. Nothing like showing the world how incompetent you are.
theboomboomcars

Oct 17, 2006
4:21 PM EDT
Quoting:They [NVidia] say that it's too difficult for an OSS community to write drivers for "such a complex device". Yeah.


From nVidia's web site they claim they don't release drivers for a different reason.

Quoting:One of the biggest growth areas for Linux is in the workstation market, where NVIDIA's enterprise customers are using custom deployed OpenGL applications under Linux with our Quadro GPUs. Most of these companies require NVIDIA to provide an end-to-end solution which stipulates that NVIDIA be wholly responsible for product delivery and support, including the drivers. This is the primary reason why NVIDIA has decided to retain source code control for our 3D graphics engine.


I would love to see an Open driver for nVidia's cards, but as long as they can't or wont figure out a way to provide a free driver as well as the closed driver for the workstations that require it, I guess I am out of luck. Although the OSS dirver for my unichrome chip in my laptop is junk, and a pain to work with. Makes me wish I could program.
jimf

Oct 17, 2006
4:38 PM EDT
Quoting:One of the biggest growth areas for Linux is in the workstation market, where NVIDIA's enterprise customers are using custom deployed OpenGL applications under Linux with our Quadro GPUs. Most of these companies require NVIDIA to provide an end-to-end solution which stipulates that NVIDIA be wholly responsible for product delivery and support, including the drivers. This is the primary reason why NVIDIA has decided to retain source code control for our 3D graphics engine.


That is one of the lamest excuses I've heard in a long time :P Really spin for 'proprietary rules'...
dcparris

Oct 17, 2006
8:42 PM EDT
jimf: > There is nothing more important to the Linux desktop than the basic video system, Without that we're back to greenscreen and text based.

What? You mean you don't like the EMACS virtualization technology running on a Linux or Hurd kernel with the glitzy new 3D interface? You are soooo GUI-fied! :-p
jimf

Oct 17, 2006
8:57 PM EDT
You are soooo GUI-fied! :-p

You are soooo right :D
tuxchick2

Oct 17, 2006
9:07 PM EDT
You kids dunno nuthin. Framebuffer all the way.
jimf

Oct 17, 2006
10:19 PM EDT
> You kids dunno nuthin. Framebuffer all the way.

LikeTom Selleck says in 'Quigley Down Under', "Just said I didn't like pistols, Didn't say I couldn't use one' ;-).
herzeleid

Oct 22, 2006
8:35 AM EDT
Can we say vindicated?

http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/st...
tuxchick2

Oct 22, 2006
9:43 AM EDT
Vindication for a two-year old security hole that was reported for weeks before Nvidia acknowledged it? I'll give them a point for finally owning up to it, and I'm deducting ten points for posting it in obscure location. If you can show me an obvious link to "security bulletins" or something similar, rather than having to know exactly what to search for and where to find it, I'll up their score.
jimf

Oct 22, 2006
9:47 AM EDT
And it still ain't open source, so next time they'll probably do the same.
Scott_Ruecker

Oct 22, 2006
9:57 AM EDT
Quoting:Like Tom Selleck says in 'Quigley Down Under', "Just said I didn't like pistols, Didn't say I couldn't use one' ;-).


One of my favorite movies of all time. Good choice of words Jim.
herzeleid

Oct 22, 2006
11:34 AM EDT
Quoting: tuxchick: Vindication for a two-year old security hole that was reported for weeks before Nvidia acknowledged it?
As it turns out, this was *not* a two-year old security hole. That was a false charge. The theoretical vulnerability, which was never exploited in any case, was fairly short lived, but was confused with an old xorg security hole by those eager to sling mud.

I have to confess, I'm a bit puzzled by all the eagerness to slam nvidia. The security record of their drivers is as good or better than any of the other linux drivers, they have some very savvy linux coders on their payroll and they've been quick to keep their linux drivers up to date.

Are the extremists in the community really so willing to eliminate the best linux drivers available, and force linux users back to the stone age, all in the name of demanding that everything be open source? .

jimf

Oct 22, 2006
12:02 PM EDT
> Are the extremists in the community really so willing to eliminate the best linux drivers available, and force linux users back to the stone age, all in the name of demanding that everything be open source?

Lol, what a great piece of FUD herzeleidm...
herzeleid

Oct 22, 2006
2:03 PM EDT
jimf: It was an honest question. Will anyone step up and answer it?
tuxchick2

Oct 22, 2006
2:30 PM EDT
This is going in circles. I'm not advocating the demise of NVidia, nor is anyone else. I want the same two fundamental things that I always want: free/open source software, especially drivers because they represent heightened security risks, and responsible security habits, like timely security bulletins and fixes that are not hidden away deep in the bowels of the vendor's site, and that are not released grudgingly when they're forced to, but quickly and openly.

How are these things bad?
herzeleid

Oct 22, 2006
2:53 PM EDT
Quoting: tuxchick: This is going in circles. I'm not advocating the demise of NVidia, nor is anyone else.
tc, there are those who want to keep other linux users from using the proprietary nvidia drivers. If that group doesn't include you, that's great. - but those people do exist, and some of us take a lot of flak from that crowd for using the nvidia drivers. They say we're "giving up our freedom" simply because we are using linux plus an "opaque" video driver.

Well, call me silly, but if I am given a choice between using:

# 1. video card A, with an open source driver, the code of which I've inspected and completely understand, but which gives crappy performance, and for some reason locks up the computer when I try to play doom3 -

# 2. video card B, which is about the same price as card A, and has an opaque driver core, but which gives fantastic performance, and has never been involved in a crash -

I'll pick #2 every time - but tc, you are free to pick #1, if having access to the source code is the most important thing to you. For me, it's more important that the software be of good quality, and fully support linux, than that I have the source code available.
tuxchick2

Oct 22, 2006
4:45 PM EDT
Oh good heavens, I hope I haven't given the impression that I want to control what other people do with their computers. That's not my business. I do consider it a sacred right and duty to pester vendors to offer the services and products that I, as their paying customer, want. How else will they know, if I don't speak up? Is that not the essence of a free market? (cue heroic music)

It's not always easy to choose, and that's something everyone has to figure out on their own.
dcparris

Oct 22, 2006
5:17 PM EDT
I, for one, see nothing wrong with speaking up for high quality FOSS drivers. I think everyone should do it. :-)
jimf

Oct 22, 2006
5:20 PM EDT
> there are those who want to keep other Linux users from using the proprietary nvidia drivers.

Of course there are, as there are those who want to keep you from doing a lot of things you are entitled to do. That's what ':P' is for. It's entirely your choice.

What you should realize is that NVidia (or any other OEM's) proprietary drivers are far from the technical best, or most ethical solution. In an ideal world, we wouldn't have to deal with such crap, but obviously, we don't live there. I find it difficult to blame people for choosing the best solution in any situation, even if that solution really sucks.

The solution is going to be a continuation of pressure on the OEM's to use open source and open standards. Remember that a couple of years ago none of these guys even produced a decent driver for Linux, now we have proprietary drivers from NVidia, and ATI and a open source driver from Intel. The battle to attain open source drivers for Linux will be much the same as it is for Linux itself, slow and steady.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!