Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#74894 - package nvidia-utils contains high security concerns.

Attached to Project: Community Packages
Opened by Kevin Yue (yuezk) - Sunday, 29 May 2022, 09:58 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Sunday, 05 June 2022, 23:37 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sven-Hendrik Haase (Svenstaro)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The nvidia-utils package (https://archlinux.org/packages/extra/x86_64/nvidia-utils/) installs an `nvidia-dbus.conf`, which is not implemented in a secure way. After installation, it will lead all the dbus services on the OS can be called without explicit permissions.

For the package itself, it should not install `nvidia-dbus.conf` by default.

Additional info:
* package version(s) 510.73.05 and the above. The old versions could have this problem as well, but I didn't verify it.
* config and/or log files etc.
* link to upstream bug report, if any https://forums.developer.nvidia.com/t/nvidia-dbus-conf-lead-to-high-security-concerns/215303

Steps to reproduce:

1. Install the nvidia driver.
2. Notice that the `nvidia-dbus.conf` has been installed at `/usr/share/dbus-1/system.d/` folder.
3. All the dbus services on the OS can be called without explicit permissions.

This task depends upon

Closed by  Sven-Hendrik Haase (Svenstaro)
Sunday, 05 June 2022, 23:37 GMT
Reason for closing:  Fixed
Additional comments about closing:  File is removed for the time being. Please push upstream to fix the permissions.
Comment by Sven-Hendrik Haase (Svenstaro) - Sunday, 29 May 2022, 17:53 GMT
So while it's clearly an upstream problem to be shipping insecurely configured files, I will immediately remove the file from the package with a note to this bug report. Thanks.

To note, I will reinstate the file once upstream figures out a way to make that more secure. Please keep pushing upstream to fix it!

Loading...