FS#74894 - package nvidia-utils contains high security concerns.
Attached to Project:
Community Packages
Opened by Kevin Yue (yuezk) - Sunday, 29 May 2022, 09:58 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Sunday, 05 June 2022, 23:37 GMT
Opened by Kevin Yue (yuezk) - Sunday, 29 May 2022, 09:58 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Sunday, 05 June 2022, 23:37 GMT
|
Details
Description:
The nvidia-utils package (https://archlinux.org/packages/extra/x86_64/nvidia-utils/) installs an `nvidia-dbus.conf`, which is not implemented in a secure way. After installation, it will lead all the dbus services on the OS can be called without explicit permissions. For the package itself, it should not install `nvidia-dbus.conf` by default. Additional info: * package version(s) 510.73.05 and the above. The old versions could have this problem as well, but I didn't verify it. * config and/or log files etc. * link to upstream bug report, if any https://forums.developer.nvidia.com/t/nvidia-dbus-conf-lead-to-high-security-concerns/215303 Steps to reproduce: 1. Install the nvidia driver. 2. Notice that the `nvidia-dbus.conf` has been installed at `/usr/share/dbus-1/system.d/` folder. 3. All the dbus services on the OS can be called without explicit permissions. |
This task depends upon
Closed by Sven-Hendrik Haase (Svenstaro)
Sunday, 05 June 2022, 23:37 GMT
Reason for closing: Fixed
Additional comments about closing: File is removed for the time being. Please push upstream to fix the permissions.
Sunday, 05 June 2022, 23:37 GMT
Reason for closing: Fixed
Additional comments about closing: File is removed for the time being. Please push upstream to fix the permissions.
To note, I will reinstate the file once upstream figures out a way to make that more secure. Please keep pushing upstream to fix it!