From owner-svn-ports-all@FreeBSD.ORG Sun Dec 14 17:29:22 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4807B543; Sun, 14 Dec 2014 17:29:22 +0000 (UTC) Received: from mail.egr.msu.edu (gribble.egr.msu.edu [35.9.37.169]) by mx1.freebsd.org (Postfix) with ESMTP id 20DA9803; Sun, 14 Dec 2014 17:29:21 +0000 (UTC) Received: from gribble (localhost [127.0.0.1]) by mail.egr.msu.edu (Postfix) with ESMTP id 9AB24197DB; Sun, 14 Dec 2014 12:19:17 -0500 (EST) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mail.egr.msu.edu ([127.0.0.1]) by gribble (gribble.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-1NcVmjvLgI; Sun, 14 Dec 2014 12:19:17 -0500 (EST) Received: from EGR authenticated sender Message-ID: <548DC694.4030701@egr.msu.edu> Date: Sun, 14 Dec 2014 12:19:16 -0500 From: Adam McDougall User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: svn-ports-all@freebsd.org Subject: Re: Forbidden due to CVE-2014-8298: nvidia-driver-173, nvidia-driver-96, nvidia-driver-71 References: <201412141121.sBEBLsvP017491@svn.freebsd.org> <20141214114244.GA2487@FreeBSD.org> In-Reply-To: <20141214114244.GA2487@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: danfe@FreeBSD.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2014 17:29:22 -0000 On 12/14/2014 06:42, Alexey Dokuchaev wrote: > On Sun, Dec 14, 2014 at 11:21:54AM +0000, Alexey Dokuchaev wrote: >> New Revision: 374697 >> URL: https://svnweb.freebsd.org/changeset/ports/374697 >> QAT: https://qat.redports.org/buildarchive/r374697/ >> >> Log: >> Mark legacy branches -173, -96, and -71 as FORBIDDEN: they are >> unsupported by NVidia and no security updates for them were issued >> to fix CVE-2014-8298. >> >> Security: fdf72a0e-8371-11e4-bc20-001636d274f3 > > I've marked these ports FORBIDDEN for now, but their fate yet to be decided. > Last update to -173 legacy branch, 173.14.39 added support for X.org xserver > ABI 15 (xorg-server 1.15), and it was confirmed to work with upcoming v1.14 > update (PR 195781), so it would be unfortunate to lose it just because NVidia > does not care about it anymore and won't provide a fix CVE-2014-8298. > > On the other hand, NVidia did provide mitigation techniques: > > - Configure the X server to prohibit X connections from the local area > network (by passing the "-nolisten tcp" command line option to the X.Org > X server) -- which we also default to, or > - Disable GLX indirect contexts. With any of the fixed NVIDIA driver > versions mentioned above, indirect GLX contexts can be prohibited by > setting the "AllowIndirectGLXProtocol" X configuration option to False, > or setting the "-iglx" X server command line option on X.Org 1.16 or > newer. > > So perhaps instead of forbidding them and subsequently removing, we can > provide pkg-message that tells users what are they facing and how to stay > safe (with an legal bla-bla about that FreeBSD cannot guarantee anything > if you use this vulnerable, unmaintained upstream port)? > > I wonder what other people think. > > ./danfe I'm worried about whether people will see it. At least the nvidia driver has a higher chance of being installed individually rather than in a large list of ports or packages where the message will be lost in the noise. When I setup a new computer, I still don't install them one by one. For hardware that is so old that people need a legacy driver, maybe people should just have to be pointed at instructions in the Makefile and cause them make to make their own decision? Can they be marked FORBIDDEN with the explanations you provided above, but kept for some period of time? Maybe a note to email a particular address if you still benefit from this driver, and if nobody emails within a year, remove it? It just feels wrong to me for FreeBSD to willfully allow installation of known vulnerable software, even if it is more convenient.