Date: Sun, 14 Dec 2014 12:19:16 -0500 From: Adam McDougall <mcdouga9@egr.msu.edu> To: svn-ports-all@freebsd.org Cc: danfe@FreeBSD.org Subject: Re: Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, nvidia-driver-71 Message-ID: <548DC694.4030701@egr.msu.edu> In-Reply-To: <20141214114244.GA2487@FreeBSD.org> References: <201412141121.sBEBLsvP017491@svn.freebsd.org> <20141214114244.GA2487@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/14/2014 06:42, Alexey Dokuchaev wrote: > On Sun, Dec 14, 2014 at 11:21:54AM +0000, Alexey Dokuchaev wrote: >> New Revision: 374697 >> URL: https://svnweb.freebsd.org/changeset/ports/374697 >> QAT: https://qat.redports.org/buildarchive/r374697/ >> >> Log: >> Mark legacy branches -173, -96, and -71 as FORBIDDEN: they are >> unsupported by NVidia and no security updates for them were issued >> to fix CVE-2014-8298. >> >> Security: fdf72a0e-8371-11e4-bc20-001636d274f3 > > I've marked these ports FORBIDDEN for now, but their fate yet to be decided. > Last update to -173 legacy branch, 173.14.39 added support for X.org xserver > ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v1.14 > update (PR 195781), so it would be unfortunate to lose it just because NVidia > does not care about it anymore and won't provide a fix CVE-2014-8298. > > On the other hand, NVidia did provide mitigation techniques: > > - Configure the X server to prohibit X connections from the local area > network (by passing the "-nolisten tcp" command line option to the X.Org > X server) -- which we also default to, or > - Disable GLX indirect contexts. With any of the fixed NVIDIA driver > versions mentioned above, indirect GLX contexts can be prohibited by > setting the "AllowIndirectGLXProtocol" X configuration option to False, > or setting the "-iglx" X server command line option on X.Org 1.16 or > newer. > > So perhaps instead of forbidding them and subsequently removing, we can > provide pkg-message that tells users what are they facing and how to stay > safe (with an legal bla-bla about that FreeBSD cannot guarantee anything > if you use this vulnerable, unmaintained upstream port)? > > I wonder what other people think. > > ./danfe I'm worried about whether people will see it. At least the nvidia driver has a higher chance of being installed individually rather than in a large list of ports or packages where the message will be lost in the noise. When I setup a new computer, I still don't install them one by one. For hardware that is so old that people need a legacy driver, maybe people should just have to be pointed at instructions in the Makefile and cause them make to make their own decision? Can they be marked FORBIDDEN with the explanations you provided above, but kept for some period of time? Maybe a note to email a particular address if you still benefit from this driver, and if nobody emails within a year, remove it? It just feels wrong to me for FreeBSD to willfully allow installation of known vulnerable software, even if it is more convenient.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548DC694.4030701>