[Announce] [CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable

List for announcements regarding Qt releases and development announce at qt-project.org
Tue Feb 5 08:22:52 CET 2013


Qt Project Security Advisory
----------------------------

Title:        POSIX shared memory segments created world-writeable
Tracking:	  CVE-2013-0254
Risk Rating:  Low to Medium
Platforms:    Unix, including Mac OS X and Linux
Modules:      QtCore, QtGui, QPA plugin for XCB
Versions:     5.0.0 and previous, since 4.4.0
Author:       Thiago Macieira
Date:         4 February 2013

Overview
--------

Shared memory segments created inside the Qt library, either on behalf of the 
user via QSharedMemory or autonomously for XCB buffer sharing, are created with 
world-readable and world-writable permissions.

Details
-------

The QSharedMemory class was introduced in Qt 4.4 and provides a cross-platform 
mechanism for creating and attaching to shared memory blocks on a given 
system. On Unix systems, this is implemented by using the shared memory 
mechanism of the System V interprocess communication API (in specific, they are 
created using the shmget(2) system call).

Additionally, the X11 protocol supports a buffer sharing mechanism between the 
X server and the client using the same API in order to enhance the performance 
of transferring large images.

In both cases, Qt internally created all System V shared memory segments with 
world-readable and world-writeable permissions.

Impact
------

World-writeable shared memory segments created by Qt may be attached to and 
written to by other users on the same system, regardless of whether those 
users possess superuser privileges. The malicious user could overwrite the 
data and cause the Qt-based program to misbehave.

World-readable shared memory segments created by Qt may be attached to and
read from by other users on the same system, regardless of whether those users 
possess superuser privileges. The malicious user could use this to access 
sensitive information such as pixmaps being transmitted to the X server, or 
data being communicated by QSharedMemory.

This issue affects all Qt releases from 4.4.0 to 5.0.0. It does not affect Qt 
5.0.1.

Workaround
----------

No workarounds are known.

Solution
--------

This problem is solved in Qt 5.0.1 and the forthcoming 4.8.5, and the 4.7.6 
patch releases. For other releases, apply the patch below:

  - 5.0: 
http://qt.gitorious.org/qt/qtbase/commit/856f209fb63ae336bfb389a12d2a75fa886dc1c5
  - 4.8: 
http://qt.gitorious.org/qt/qt/commit/20b26bdb3dd5e46b01b9a7e1ce8342074df3c89c
  - 4.7: 
http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1

This patch forces all System V shared memory segments to be created with user-
only permissions, denying reading and writing from other users in the system. 

A side-effect of this patch is that QSharedMemory can no longer be used to 
share memory with different users in the same system. A solution for that 
requires new API and will be investigated for Qt 5.1.0.

There may also be a drop in performance for X11 programs running in a system 
where the X server itself does not run with superuser privileges. This problem 
is known to the X community and may be solved in a future version by way of a 
new protocol extension.

Timeline
--------
29 November 2012 - Issue reported privately by Tim Brown
03 December 2012 - Issue disclosed to the Qt security team
20 December 2012 - Patch created
15-25 January 2013 - Patch applied to codelines
04 February 2013 - Advisory released

Credits
-------
Many thanks to Tim Brown and Mark Lowe of Portcullis Computer Security 
Ltd.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358


More information about the Announce mailing list