From owner-svn-ports-head@FreeBSD.ORG  Sun Dec 14 11:42:44 2014
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 1033)
 id 535382FE; Sun, 14 Dec 2014 11:42:44 +0000 (UTC)
Date: Sun, 14 Dec 2014 11:42:44 +0000
From: Alexey Dokuchaev <danfe@FreeBSD.org>
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, 
 nvidia-driver-71
Message-ID: <20141214114244.GA2487@FreeBSD.org>
References: <201412141121.sBEBLsvP017491@svn.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201412141121.sBEBLsvP017491@svn.freebsd.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: x11@FreeBSD.org
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2014 11:42:44 -0000

On Sun, Dec 14, 2014 at 11:21:54AM +0000, Alexey Dokuchaev wrote:
> New Revision: 374697
> URL: https://svnweb.freebsd.org/changeset/ports/374697
> QAT: https://qat.redports.org/buildarchive/r374697/
> 
> Log:
>   Mark legacy branches -173, -96, and -71 as FORBIDDEN: they are
>   unsupported by NVidia and no security updates for them were issued
>   to fix CVE-2014-8298.
>   
>   Security:	fdf72a0e-8371-11e4-bc20-001636d274f3

I've marked these ports FORBIDDEN for now, but their fate yet to be decided.
Last update to -173 legacy branch, 173.14.39 added support for X.org xserver
ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v1.14
update (PR 195781), so it would be unfortunate to lose it just because NVidia
does not care about it anymore and won't provide a fix CVE-2014-8298.

On the other hand, NVidia did provide mitigation techniques:

  - Configure the X server to prohibit X connections from the local area
    network (by passing the "-nolisten tcp" command line option to the X.Org
    X server) -- which we also default to, or
  - Disable GLX indirect contexts. With any of the fixed NVIDIA driver
    versions mentioned above, indirect GLX contexts can be prohibited by
    setting the "AllowIndirectGLXProtocol" X configuration option to False,
    or setting the "-iglx" X server command line option on X.Org 1.16 or
    newer.

So perhaps instead of forbidding them and subsequently removing, we can
provide pkg-message that tells users what are they facing and how to stay
safe (with an legal bla-bla about that FreeBSD cannot guarantee anything
if you use this vulnerable, unmaintained upstream port)?

I wonder what other people think.

./danfe