Qt Project Security Advisory ---------------------------- Title: POSIX shared memory segments created world-writeable Tracking: CVE-2013-0254 Risk Rating: Low to Medium Platforms: Unix, including Mac OS X and Linux Modules: QtCore, QtGui, QPA plugin for XCB Versions: 5.0.0 and previous, since 4.4.0 Author: Thiago Macieira Date: 4 February 2013
Overview -------- Shared memory segments created inside the Qt library, either on behalf of the user via QSharedMemory or autonomously for XCB buffer sharing, are created with world-readable and world-writable permissions. Details ------- The QSharedMemory class was introduced in Qt 4.4 and provides a cross-platform mechanism for creating and attaching to shared memory blocks on a given system. On Unix systems, this is implemented by using the shared memory mechanism of the System V interprocess communication API (in specific, they are created using the shmget(2) system call). Additionally, the X11 protocol supports a buffer sharing mechanism between the X server and the client using the same API in order to enhance the performance of transferring large images. In both cases, Qt internally created all System V shared memory segments with world-readable and world-writeable permissions. Impact ------ World-writeable shared memory segments created by Qt may be attached to and written to by other users on the same system, regardless of whether those users possess superuser privileges. The malicious user could overwrite the data and cause the Qt-based program to misbehave. World-readable shared memory segments created by Qt may be attached to and read from by other users on the same system, regardless of whether those users possess superuser privileges. The malicious user could use this to access sensitive information such as pixmaps being transmitted to the X server, or data being communicated by QSharedMemory. This issue affects all Qt releases from 4.4.0 to 5.0.0. It does not affect Qt 5.0.1. Workaround ---------- No workarounds are known. Solution -------- This problem is solved in Qt 5.0.1 and the forthcoming 4.8.5, and the 4.7.6 patch releases. For other releases, apply the patch below: - 5.0: http://qt.gitorious.org/qt/qtbase/commit/856f209fb63ae336bfb389a12d2a75fa886dc1c5 - 4.8: http://qt.gitorious.org/qt/qt/commit/20b26bdb3dd5e46b01b9a7e1ce8342074df3c89c - 4.7: http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1 This patch forces all System V shared memory segments to be created with user- only permissions, denying reading and writing from other users in the system. A side-effect of this patch is that QSharedMemory can no longer be used to share memory with different users in the same system. A solution for that requires new API and will be investigated for Qt 5.1.0. There may also be a drop in performance for X11 programs running in a system where the X server itself does not run with superuser privileges. This problem is known to the X community and may be solved in a future version by way of a new protocol extension. Timeline -------- 29 November 2012 - Issue reported privately by Tim Brown 03 December 2012 - Issue disclosed to the Qt security team 20 December 2012 - Patch created 15-25 January 2013 - Patch applied to codelines 04 February 2013 - Advisory released Credits ------- Many thanks to Tim Brown and Mark Lowe of Portcullis Computer Security Ltd. -- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Software Architect - Intel Open Source Technology Center PGP/GPG: 0x6EF45358; fingerprint: E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358 _______________________________________________ Announce mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/announce _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
