[Announce] [CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable
List for announcements regarding Qt releases and development
announce at qt-project.org
Tue Feb 5 08:22:52 CET 2013
Qt Project Security Advisory
Title: POSIX shared memory segments created world-writeable
Risk Rating: Low to Medium
Platforms: Unix, including Mac OS X and Linux
Modules: QtCore, QtGui, QPA plugin for XCB
Versions: 5.0.0 and previous, since 4.4.0
Author: Thiago Macieira
Date: 4 February 2013
Shared memory segments created inside the Qt library, either on behalf of the
user via QSharedMemory or autonomously for XCB buffer sharing, are created with
world-readable and world-writable permissions.
The QSharedMemory class was introduced in Qt 4.4 and provides a cross-platform
mechanism for creating and attaching to shared memory blocks on a given
system. On Unix systems, this is implemented by using the shared memory
mechanism of the System V interprocess communication API (in specific, they are
created using the shmget(2) system call).
Additionally, the X11 protocol supports a buffer sharing mechanism between the
X server and the client using the same API in order to enhance the performance
of transferring large images.
In both cases, Qt internally created all System V shared memory segments with
world-readable and world-writeable permissions.
World-writeable shared memory segments created by Qt may be attached to and
written to by other users on the same system, regardless of whether those
users possess superuser privileges. The malicious user could overwrite the
data and cause the Qt-based program to misbehave.
World-readable shared memory segments created by Qt may be attached to and
read from by other users on the same system, regardless of whether those users
possess superuser privileges. The malicious user could use this to access
sensitive information such as pixmaps being transmitted to the X server, or
data being communicated by QSharedMemory.
This issue affects all Qt releases from 4.4.0 to 5.0.0. It does not affect Qt
No workarounds are known.
This problem is solved in Qt 5.0.1 and the forthcoming 4.8.5, and the 4.7.6
patch releases. For other releases, apply the patch below:
This patch forces all System V shared memory segments to be created with user-
only permissions, denying reading and writing from other users in the system.
A side-effect of this patch is that QSharedMemory can no longer be used to
share memory with different users in the same system. A solution for that
requires new API and will be investigated for Qt 5.1.0.
There may also be a drop in performance for X11 programs running in a system
where the X server itself does not run with superuser privileges. This problem
is known to the X community and may be solved in a future version by way of a
new protocol extension.
29 November 2012 - Issue reported privately by Tim Brown
03 December 2012 - Issue disclosed to the Qt security team
20 December 2012 - Patch created
15-25 January 2013 - Patch applied to codelines
04 February 2013 - Advisory released
Many thanks to Tim Brown and Mark Lowe of Portcullis Computer Security
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
More information about the Announce