Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: John Helmert III <ajak@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] [RFC] A new GLSA schema
Date: Thu, 10 Nov 2022 02:27:41
Message-Id: Y2xhlbizeJmhJ/AC@gentoo.org
1 The first GLSA in glsa.git is GLSA-200310-03, the third GLSA of
2 October 2003. It used roughly the same format of the GLSAs we release
3 today, in 2022, making that format almost as old as me.
4
5 Somewhere along the way, it started to become necessary to target
6 multiple version ranges within the same package. The GLSA format
7 isn't capable of expressing this. Thus, I propose a new format (an
8 example of which I've attached inline below), with the following
9 changes from the old format:
10
11 - Rework affected to use XML-ified logical operators to specify the
12 affected versions, and *don't* use different fields to specify
13 vulnerable and unaffected versions. Instead, only list vulnerable
14 versions, unaffected versions are implicit.
15
16 - Drop synopsis and description fields. These fields contain the same
17 information and will be superceded by the existing impact field.
18
19 - Drop background field. This is usually just the package's
20 description, or some similar text. No reason to reproduce it in
21 GLSAs.
22
23 What does everyone think?
24
25 <?xml version="1.0" encoding="UTF-8"?>
26 <!DOCTYPE glsa SYSTEM "https://www.gentoo.org/dtd/glsa-2.dtd">
27 <glsa id="202213-00">
28 <title>Nvidia Drivers: Multiple Vulnerabilities</title>
29 <announced>2022-13-00</announced>
30 <revised count="1">2022-13-00</revised>
31 <bug>764512</bug>
32 <bug>784596</bug>
33 <bug>803389</bug>
34 <bug>832867</bug>
35 <bug>845063</bug>
36 <bug>866527</bug>
37 <affected>
38 <any>
39 <and>
40 <constraint op="ge" atom="x11-drivers/nvidia-drivers-390"/>
41 <constraint op="lt" atom="x11-drivers/nvidia-drivers-390.154"/>
42 </and>
43 <and>
44 <constraint op="ge" atom="x11-drivers/nvidia-drivers-470"/>
45 <constraint op="lt" atom="x11-drivers/nvidia-drivers-470.141.03"/>
46 </and>
47 <and>
48 <constraint op="ge" atom="x11-drivers/nvidia-drivers-510.85"/>
49 <constraint op="lt" atom="x11-drivers/nvidia-drivers-510.85.02"/>
50 </and>
51 <and>
52 <constraint op="ge" atom="x11-drivers/nvidia-drivers-515.65"/>
53 <constraint op="lt" atom="x11-drivers/nvidia-drivers-515.65.01"/>
54 </and>
55 </any>
56 </affected>
57 <impact type="high">
58 <p>These vulnerabilities could allow a local user with low privileges to gain root privileges.</p>
59 </impact>
60 <workaround>
61 <p>There is no known workaround at this time.</p>
62 </workaround>
63 <resolution>
64 <p>All Nvidia drivers 390 users should upgrade to the latest version:</p>
65
66 <code>
67 # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-390.154"
68 </code>
69
70 <p>All Nvidia drivers 470 users should upgrade to the latest version:</p>
71
72 <code>
73 # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-470.141.03"
74 </code>
75
76 <p>All Nvidia drivers 510 users should upgrade to the latest version:</p>
77
78 <code>
79 # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-510.85.02"
80 </code>
81
82 <p>All Nvidia drivers 515.65.01 users should upgrade to the latest version:</p>
83
84 <code>
85 # emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-515.65.01"
86 </code>
87 </resolution>
88 <references>
89 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1052">CVE-2021-1052</uri>
90 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1053">CVE-2021-1053</uri>
91 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1056">CVE-2021-1056</uri>
92 <uri link="https://nvd.nist.gov/vuln/detail/CVE‑2021‑1076">CVE‑2021‑1076</uri>
93 <uri link="https://nvd.nist.gov/vuln/detail/CVE‑2021‑1077">CVE‑2021‑1077</uri>
94 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1090">CVE-2021-1090</uri>
95 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1093">CVE-2021-1093</uri>
96 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1094">CVE-2021-1094</uri>
97 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1095">CVE-2021-1095</uri>
98 <uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑21813">CVE‑2022‑21813</uri>
99 <uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑21814">CVE‑2022‑21814</uri>
100 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28181">CVE-2022-28181</uri>
101 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28183">CVE-2022-28183</uri>
102 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28184">CVE-2022-28184</uri>
103 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28185">CVE-2022-28185</uri>
104 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31607">CVE-2022-31607</uri>
105 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31608">CVE-2022-31608</uri>
106 <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31615">CVE-2022-31615</uri>
107 </references>
108 <metadata tag="requester" timestamp="2022-09-28T14:25:19.979184Z">larry</metadata>
109 <metadata tag="reviewer" timestamp="2022-09-29T14:25:19.979184Z">notlarry</metadata>
110 <metadata tag="submitter" timestamp="2022-09-30T14:25:19.985055Z">larry</metadata>
111 </glsa>

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] [RFC] A new GLSA schema "Michał Górny" <mgorny@g.o>
Re: [gentoo-dev] [RFC] A new GLSA schema Jonas Stein <jstein@g.o>
Report Message
Find on MARC Find on Google Groups