Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: List for announcements regarding Qt releases and development <announce <at> qt-project.org>
Subject: [Announce] [CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable
Newsgroups: gmane.comp.lib.qt.devel
Date: Tuesday 5th February 2013 07:22:52 UTC (over 4 years ago)
Qt Project Security Advisory
----------------------------

Title:        POSIX shared memory segments created world-writeable
Tracking:	  CVE-2013-0254
Risk Rating:  Low to Medium
Platforms:    Unix, including Mac OS X and Linux
Modules:      QtCore, QtGui, QPA plugin for XCB
Versions:     5.0.0 and previous, since 4.4.0
Author:       Thiago Macieira
Date:         4 February 2013

Overview
--------

Shared memory segments created inside the Qt library, either on behalf of
the 
user via QSharedMemory or autonomously for XCB buffer sharing, are created
with 
world-readable and world-writable permissions.

Details
-------

The QSharedMemory class was introduced in Qt 4.4 and provides a
cross-platform 
mechanism for creating and attaching to shared memory blocks on a given 
system. On Unix systems, this is implemented by using the shared memory 
mechanism of the System V interprocess communication API (in specific, they
are 
created using the shmget(2) system call).

Additionally, the X11 protocol supports a buffer sharing mechanism between
the 
X server and the client using the same API in order to enhance the
performance 
of transferring large images.

In both cases, Qt internally created all System V shared memory segments
with 
world-readable and world-writeable permissions.

Impact
------

World-writeable shared memory segments created by Qt may be attached to and

written to by other users on the same system, regardless of whether those 
users possess superuser privileges. The malicious user could overwrite the 
data and cause the Qt-based program to misbehave.

World-readable shared memory segments created by Qt may be attached to and
read from by other users on the same system, regardless of whether those
users 
possess superuser privileges. The malicious user could use this to access 
sensitive information such as pixmaps being transmitted to the X server, or

data being communicated by QSharedMemory.

This issue affects all Qt releases from 4.4.0 to 5.0.0. It does not affect
Qt 
5.0.1.

Workaround
----------

No workarounds are known.

Solution
--------

This problem is solved in Qt 5.0.1 and the forthcoming 4.8.5, and the 4.7.6

patch releases. For other releases, apply the patch below:

  - 5.0: 
http://qt.gitorious.org/qt/qtbase/commit/856f209fb63ae336bfb389a12d2a75fa886dc1c5
  - 4.8: 
http://qt.gitorious.org/qt/qt/commit/20b26bdb3dd5e46b01b9a7e1ce8342074df3c89c
  - 4.7: 
http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1

This patch forces all System V shared memory segments to be created with
user-
only permissions, denying reading and writing from other users in the
system. 

A side-effect of this patch is that QSharedMemory can no longer be used to 
share memory with different users in the same system. A solution for that 
requires new API and will be investigated for Qt 5.1.0.

There may also be a drop in performance for X11 programs running in a
system 
where the X server itself does not run with superuser privileges. This
problem 
is known to the X community and may be solved in a future version by way of
a 
new protocol extension.

Timeline
--------
29 November 2012 - Issue reported privately by Tim Brown
03 December 2012 - Issue disclosed to the Qt security team
20 December 2012 - Patch created
15-25 January 2013 - Patch applied to codelines
04 February 2013 - Advisory released

Credits
-------
Many thanks to Tim Brown and Mark Lowe of Portcullis Computer Security 
Ltd.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
_______________________________________________
Announce mailing list
[email protected]
http://lists.qt-project.org/mailman/listinfo/announce
 
CD: 3ms