SECURITY PATCHES FOR THE 2012-08-01 VULNERABILITY IN THE NVIDIA LINUX DRIVER

Q: What do the nvidia-blacklist-vga-registers-*.diff files do?
A: The files that accompany this README can be used to patch the NVIDIA Linux
   driver to protect against a privilege escalation vulnerability reported on
   August 1, 2012. The vulnerability is described at:

   http://nvidia.custhelp.com/app/answers/detail/a_id/3140

Q: Do I need to apply this patch?
A: Updated driver versions that close the vulnerability are available for
   download at http://www.nvidia.com/object/unix.html. If you already installed
   driver version 304.32, then no further action is necessary. The
   vulnerability is also fixed in newer drivers from release 304 and later
   releases.

   If you are using an older driver, and are not able to upgrade to a driver
   version which contains the security fix, then the provided patches can be
   used to apply the security fix to your existing driver. Note that driver
   version 304.32 and later contain additional changes beyond this patch,
   which allow the CUDA debugger to work correctly after fixing the security
   vulnerability, i.e., applying the patch closes the security vulnerability,
   but the patched driver will be incompatible with the CUDA debugger.

Q: Where do I get the patch?
A: The patch files should have accompanied this README file. If you received a
   copy of this README without the patch files, you can download them from:
   
   ftp://download.nvidia.com/XFree86/patches/security/2012-08-01

Q: How do I apply the patch?
A: Applying the patch is simple; just follow these easy steps:

   1) If you are using a driver version prior to 295.40 which has not already
      had the patch for CVE-2012-0946 applied, download the patch from:

      ftp://download.nvidia.com/XFree86/patches/security/CVE-2012-0946

      Apply the CVE-2012-0946 patch before applying this patch by following
      the instructions that accompany that patch. You can skip the last step
      in those instructions (install the patched driver), since you will need
      to apply a second patch before running the installer.

   2) Select and download the correct version of the patch for your driver.

      There are two separate versions of the patch:

      a) nvidia-blacklist-vga-pmu-registers-256-304.diff:
            for drivers from releases 256 through 304 (inclusive)
            MD5 54c391def640f526e56a0b8453911a69
            SHA1 c0d2bd12aeee4d5e02428ab9060e0d4cb37cf86c
      b) nvidia-blacklist-vga-pmu-registers-195.diff:
            for drivers from release 195 and earlier
            (There were no releases between 195 and 256.)
            MD5 4d9eeb020da469b6c75cab6e05f4cf77
            SHA1 5f873bf487ee77d6504813dff49e283c07896f32

   3) Locate your original .run installer file, or download a new copy.

      If you no longer have the installer file for your driver version, obtain
      a new copy from one of the following locations:
      
      http://www.nvidia.com/object/unix.html (archives section)
      ftp://download.nvidia.com/XFree86/

      If you are applying this patch to a driver version older than 295.40,
      then instead of using the original .run installer file, you must use a
      .run installer file that has had the CVE-2012-0946 patch applied.

   4) Apply the patch to the driver installer.

      This is done using the "--apply-patch" commandline option, which takes
      the path to the patch file as an argument. As an example, to apply the
      patch to the installer for driver version 295.59 (32 bit), run:

      $ sh /path/to/NVIDIA-Linux-x86-295.59.run --apply-patch \
           /path/to/nvidia-blacklist-vga-registers-256-304.diff

      This package will create a new installer package file with a name ending
      in "-custom.run". This file can be used to install the patched driver.

      Again, for driver versions older than 295.40, use an installer that has
      had the CVE-2012-0946 patch applied, instead of the original installer.
      Note that when applying a patch to an existing "-custom.run" file, the
      newly patched installer will overwrite the previous "-custom.run" file.

   5) Run the patched installer.

      Run the custom installer that was created in step 4. Continuing from the
      example above:

      # sh /path/to/NVIDIA-Linux-x86-295.59-custom.run

      The custom installer will work just like the normal installer, and can
      take the same commandline options. As usual when installing the NVIDIA
      driver, this installer will need to be run as root, and while the GPU is
      not in use by X or any other application.