Regarding my post here on 18.Oct.2006: http://lists.debian.org/debian-security/2006/10/msg00046.html
Nvidia has published a bulletin on this security hole : http://nvidia.custhelp.com/cgi-bin/nvidia.cfg/php/enduser/std_adp.php?p_faqid=1971 (dated 20th.Oct - sorry, only just found it) Here are some salient points : * NVIDIA confirms that there is a security vulnerability in the NVIDIA UNIX Graphics drivers, versions 1.0-8762 and 1.0-8774, as reported in Security Advisory R7-0025, "Buffer Overflow in NVIDIA Binary Graphics Driver For Linux" (http://download2.rapid7.com/r7-0025/). * This bug was in the NVIDIA X driver's Render acceleration layer. The bug can be avoided in affected drivers by disabling Render acceleration via the "RenderAccel" X configuration option. * NVIDIA can confirm that this bug is only present in the NVIDIA UNIX Graphics drivers 1.0-8762 and 1.0-8774, and is fixed starting with 1.0-8776. Also, this bug is not present in driver versions older than 1.0-8762 * We encourage users of NVIDIA graphics driver version 1.0-8762 or 1.0-8774 to upgrade to 1.0-8776, available here: http://www.nvidia.com/object/unix.html So while Etch and Sid users may want to observe that last advice (I don't know what the current state of packaging is for this driver there), those of us using Sarge can just go back to using the packaged Nvidia graphics driver - 1.0-7174 - because it doesn't contain the security hole. Great ! /me thanks lucky stars this bit of Debian stable is so far behind the bleeding edge :-) Nick Boyce Bristol, UK -- Will no one rid me of this troublesome chair ?
