NVIDIA confirms that there is a security vulnerability in the NVIDIA UNIX Graphics drivers, versions 1.0-8762 and 1.0-8774, as reported in Security Advisory R7-0025, "Buffer Overflow in NVIDIA Binary Graphics Driver For Linux" (http://download2.rapid7.com/r7-0025/).
This issue is also disclosed as CVE-2006-5379.
The root cause is as described in the security advisory:
a scratch buffer was allocated in system memory for glyph rendering
the scratch buffer allocation was clamped to a maximum size
the glyph list rendered was not clamped using the same clamping criteria as the scratch buffer
This bug was in the NVIDIA X driver's Render acceleration layer. The bug can be avoided in affected drivers by disabling Render acceleration via the "RenderAccel" X configuration option.
NVIDIA can confirm that this bug is only present in the NVIDIA UNIX Graphics drivers 1.0-8762 and 1.0-8774, and is fixed starting with 1.0-8776. Also, this bug is not present in driver versions older than 1.0-8762. For example, versions 1.0-8178 or 1.0-7184 are not affected by this bug.
There is some confusion between this NVIDIA driver bug and a previously fixed core XFree86/X.Org server bug. This confusion mistakenly led the security advisory to the conclusion that the NVIDIA driver bug was reported and known as early as 2004.
That particular issue can be seen reported in notes 3, 5, and 6 of the following security advisory:
That issue is a core XFree86/X.Org server bug with a similar symptom. Based on our investigation, we believe these earlier reported symptoms were caused by the following bugs:
Those bugs were resolved with the following change:
Since the symptom is the same, it is possible that newer postings in those bug reports were referring to the NVIDIA bug in 1.0-8762 and 1.0-8774. However, we believe the symptoms dating back to 2004 are the XFree86/X.Org server bug.
Please note that in the Eclipse bugzilla report https://bugs.eclipse.org/bugs/show_bug.cgi?id=87299, at least one user reports seeing similar symptoms on non-NVIDIA products.
Also, note that freedesktop bugzilla #2129 is filed against the core X.Org X server, rather than the NVIDIA binary driver bugzilla module. The security advisory's reference #4 to this email posting http://lists.freedesktop.org/archives/xorg/2005-January/005642.html appears to be an attempt to correlate bugzilla #2129 with the NVIDIA driver bug, trying to imply that NVIDIA was aware of this bug as far back as 2004. However, NVIDIA is only mentioned once in that bug report (comment #9, nearly 2 years after the bug was originally filed).
In summary, the accurate history of this issue is as follows:
NVIDIA was made aware of a problem with our 1.0-8774 driver that caused an X Server crash on July 2006 through a posting on nvnews.net. The problem was not identified as a security risk.
We debugged and fixed the issue, and included it, along with many other bug fixes, in the Release 95 series. 1.0-9625 was released on September 21, 2006 as a beta driver on nZone.com http://www.nzone.com/object/nzone_downloads_rel70betadriver.html.
We were informed on Monday, October 16th, that the problem posed a security risk. NVIDIA is releasing an updated driver from our stable Release 85 series, 1.0-8776, on Thursday, October 19, 2006, which includes the bug fix.
We encourage users of NVIDIA graphics driver version 1.0-8762 or 1.0-8774 to upgrade to 1.0-8776, available here: http://www.nvidia.com/object/unix.html
While we have no record of Rapid7 contacting us prior to their announcement, NVIDIA does provide a technical contact to security firms to inform us of potential security issues. We encourage anyone that has identified what they believe to be a security issue with an NVIDIA driver to directly contact our UNIX Graphics Driver security email alias, email@example.com, to report and evaluate any potential issues prior to publishing a public security advisory.
We look forward to working with the professional security community in the future to make our driver more robust and secure.