Bug 950755 (CVE-2013-7445) - VUL-1: CVE-2013-7445: kernel: The Direct Rendering Manager (DRM) subsystem web page triggerable DOS in Linux DRM graphics
Summary: VUL-1: CVE-2013-7445: kernel: The Direct Rendering Manager (DRM) subsystem we...
Status: RESOLVED WONTFIX
Alias: CVE-2013-7445
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Takashi Iwai
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/157835/
Whiteboard: CVSSv2:NVD:CVE-2013-7445:7.8:(AV:N/AC...
Keywords:
Depends on:
Blocks: 950947
  Show dependency treegraph
 
Reported: 2015-10-16 13:13 UTC by Andreas Stieger
Modified: 2019-07-05 09:23 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-16 13:13:15 UTC 
CVE-2013-7445

The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x
mishandles requests for Graphics Execution Manager (GEM) objects, which allows
context-dependent attackers to cause a denial of service (memory consumption)
via an application that processes graphics data, as demonstrated by JavaScript
code that creates many CANVAS elements for rendering by Chrome or Firefox.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7445
https://bugzilla.kernel.org/show_bug.cgi?id=60533

The SUSE Security team is doubtful as to the security relevance of this bug outside of the desktop context.
Comment 2 Swamp Workflow Management 2015-10-16 22:01:17 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2015-10-19 09:25:12 UTC 
NVD CVSS score is >= 6.0, so live patch ...
Comment 7 Michal Hocko 2016-05-30 09:03:58 UTC 
So are we going to WONTFIX?
Comment 8 Takashi Iwai 2016-05-30 09:11:47 UTC 
(In reply to Michal Hocko from comment #7)
> So are we going to WONTFIX?

I'd happily do it if I'm allowed.  Honestly, I don't know whether it's OK to do it for a security issue in general...
Comment 9 Marcus Meissner 2016-05-30 11:32:23 UTC 
perl bin/addnote CVE-2013-7445 "This issue affects kernels before Linux Kernel 4.0. It is however not trivial to fix, so we are currently not planning on addressing this problem."
Comment 10 Marcus Meissner 2016-05-30 11:46:10 UTC 
we can document it in such cases. i posted a note to the CVE page.