Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package qt4-x11

Hi! This upload fixes shmget calls to get user-only memory, CVE-2013-0254
and RC bug #699870.

diffstat qt4-x11.diff 
 changelog                                                     |   10 
 patches/change_all_shmget_calls_to_use_user-only_memory.patch |  148 ++++++++++
 patches/series                                                |    1 
 3 files changed, 159 insertions(+)

Kinds regards, Lisandro.

unblock qt4-x11/4:4.8.2+dfsg-11

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru qt4-x11-4.8.2+dfsg/debian/changelog qt4-x11-4.8.2+dfsg/debian/changelog
--- qt4-x11-4.8.2+dfsg/debian/changelog	2013-01-19 16:48:19.000000000 -0300
+++ qt4-x11-4.8.2+dfsg/debian/changelog	2013-02-05 18:52:39.000000000 -0300
@@ -1,3 +1,13 @@
+qt4-x11 (4:4.8.2+dfsg-11) unstable; urgency=medium
+
+  * Take upstream patch change_all_shmget_calls_to_use_user-only_memory.patch.
+    It changes the shmget calls to get user-only memory, CVE-2013-0254.
+    - Set urgency to medium.
+    - Drop changes from tests/auto/qtipc/qsharedmemory/tst_qsharedmemory.cpp,
+    it doesn't exists in the Debian tarball.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisan...@debian.org>  Tue, 05 Feb 2013 18:52:29 -0300
+
 qt4-x11 (4:4.8.2+dfsg-10) unstable; urgency=medium
 
   * Add SSL-certificates-blacklist-mis-issued-Turktrust-cert.patch to blacklist
diff -Nru qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch
--- qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch	1969-12-31 21:00:00.000000000 -0300
+++ qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch	2013-02-05 18:50:16.000000000 -0300
@@ -0,0 +1,148 @@
+From 20b26bdb3dd5e46b01b9a7e1ce8342074df3c89c Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macie...@intel.com>
+From: Lisandro Damián Nicanor Pérez Meyer <lisan...@debian.org>
+Date: Sat, 22 Dec 2012 08:32:12 -0800
+Description: [PATCH] Change all shmget calls to user-only memory
+ Drop the read and write permissions for group and other users in the
+ system.
+ .
+ The tests/auto/qtipc/qsharedmemory/tst_qsharedmemory.cpp does
+ not exists in the current Debian tarball, so we removed it.
+
+Change-Id: I8fc753f09126651af3fb82df3049050f0b14e876
+(cherry-picked from Qt 5 commit 856f209fb63ae336bfb389a12d2a75fa886dc1c5)
+Reviewed-by: Richard J. Moore <r...@kde.org>
+---
+ src/corelib/kernel/qsharedmemory_unix.cpp          |    6 +++---
+ src/corelib/kernel/qsystemsemaphore_unix.cpp       |    4 ++--
+ src/gui/image/qnativeimage.cpp                     |    2 +-
+ src/gui/image/qpixmap_x11.cpp                      |    2 +-
+ src/plugins/platforms/xcb/qxcbwindowsurface.cpp    |    2 +-
+ src/plugins/platforms/xlib/qxlibwindowsurface.cpp  |    2 +-
+ .../auto/qtipc/qsharedmemory/tst_qsharedmemory.cpp |    2 +-
+ tools/qvfb/qvfbshmem.cpp                           |    4 ++--
+ 8 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/corelib/kernel/qsharedmemory_unix.cpp b/src/corelib/kernel/qsharedmemory_unix.cpp
+index 20d76e3..4cf3acf 100644
+--- a/src/corelib/kernel/qsharedmemory_unix.cpp
++++ b/src/corelib/kernel/qsharedmemory_unix.cpp
+@@ -238,7 +238,7 @@ bool QSharedMemoryPrivate::create(int size)
+     }
+ 
+     // create
+-    if (-1 == shmget(unix_key, size, 0666 | IPC_CREAT | IPC_EXCL)) {
++    if (-1 == shmget(unix_key, size, 0600 | IPC_CREAT | IPC_EXCL)) {
+         QString function = QLatin1String("QSharedMemory::create");
+         switch (errno) {
+         case EINVAL:
+@@ -293,7 +293,7 @@ bool QSharedMemoryPrivate::attach(QSharedMemory::AccessMode mode)
+ {
+ #ifndef QT_POSIX_IPC
+     // grab the shared memory segment id
+-    int id = shmget(unix_key, 0, (mode == QSharedMemory::ReadOnly ? 0444 : 0660));
++    int id = shmget(unix_key, 0, (mode == QSharedMemory::ReadOnly ? 0400 : 0600));
+     if (-1 == id) {
+         setErrorString(QLatin1String("QSharedMemory::attach (shmget)"));
+         return false;
+@@ -381,7 +381,7 @@ bool QSharedMemoryPrivate::detach()
+     size = 0;
+ 
+     // Get the number of current attachments
+-    int id = shmget(unix_key, 0, 0444);
++    int id = shmget(unix_key, 0, 0400);
+     cleanHandle();
+ 
+     struct shmid_ds shmid_ds;
+diff --git a/src/corelib/kernel/qsystemsemaphore_unix.cpp b/src/corelib/kernel/qsystemsemaphore_unix.cpp
+index fad9acc..e77456b 100644
+--- a/src/corelib/kernel/qsystemsemaphore_unix.cpp
++++ b/src/corelib/kernel/qsystemsemaphore_unix.cpp
+@@ -153,10 +153,10 @@ key_t QSystemSemaphorePrivate::handle(QSystemSemaphore::AccessMode mode)
+     }
+ 
+     // Get semaphore
+-    semaphore = semget(unix_key, 1, 0666 | IPC_CREAT | IPC_EXCL);
++    semaphore = semget(unix_key, 1, 0600 | IPC_CREAT | IPC_EXCL);
+     if (-1 == semaphore) {
+         if (errno == EEXIST)
+-            semaphore = semget(unix_key, 1, 0666 | IPC_CREAT);
++            semaphore = semget(unix_key, 1, 0600 | IPC_CREAT);
+         if (-1 == semaphore) {
+             setErrorString(QLatin1String("QSystemSemaphore::handle"));
+             cleanHandle();
+diff --git a/src/gui/image/qnativeimage.cpp b/src/gui/image/qnativeimage.cpp
+index 9654afe..fef38c5 100644
+--- a/src/gui/image/qnativeimage.cpp
++++ b/src/gui/image/qnativeimage.cpp
+@@ -176,7 +176,7 @@ QNativeImage::QNativeImage(int width, int height, QImage::Format format,bool /*
+ 
+     bool ok;
+     xshminfo.shmid = shmget(IPC_PRIVATE, xshmimg->bytes_per_line * xshmimg->height,
+-                            IPC_CREAT | 0777);
++                            IPC_CREAT | 0700);
+     ok = xshminfo.shmid != -1;
+     if (ok) {
+         xshmimg->data = (char*)shmat(xshminfo.shmid, 0, 0);
+diff --git a/src/gui/image/qpixmap_x11.cpp b/src/gui/image/qpixmap_x11.cpp
+index 280d8bd..88c9b7b 100644
+--- a/src/gui/image/qpixmap_x11.cpp
++++ b/src/gui/image/qpixmap_x11.cpp
+@@ -193,7 +193,7 @@ static bool qt_create_mitshm_buffer(const QPaintDevice* dev, int w, int h)
+     bool ok;
+     xshminfo.shmid = shmget(IPC_PRIVATE,
+                              xshmimg->bytes_per_line * xshmimg->height,
+-                             IPC_CREAT | 0777);
++                             IPC_CREAT | 0700);
+     ok = xshminfo.shmid != -1;
+     if (ok) {
+         xshmimg->data = (char*)shmat(xshminfo.shmid, 0, 0);
+diff --git a/src/plugins/platforms/xcb/qxcbwindowsurface.cpp b/src/plugins/platforms/xcb/qxcbwindowsurface.cpp
+index b6a42d8..0d56821 100644
+--- a/src/plugins/platforms/xcb/qxcbwindowsurface.cpp
++++ b/src/plugins/platforms/xcb/qxcbwindowsurface.cpp
+@@ -98,7 +98,7 @@ QXcbShmImage::QXcbShmImage(QXcbScreen *screen, const QSize &size, uint depth, QI
+                                           0);
+ 
+     m_shm_info.shmid = shmget (IPC_PRIVATE,
+-          m_xcb_image->stride * m_xcb_image->height, IPC_CREAT|0777);
++          m_xcb_image->stride * m_xcb_image->height, IPC_CREAT|0600);
+ 
+     m_shm_info.shmaddr = m_xcb_image->data = (quint8 *)shmat (m_shm_info.shmid, 0, 0);
+     m_shm_info.shmseg = xcb_generate_id(xcb_connection());
+diff --git a/src/plugins/platforms/xlib/qxlibwindowsurface.cpp b/src/plugins/platforms/xlib/qxlibwindowsurface.cpp
+index bf003eb..46a2f97 100644
+--- a/src/plugins/platforms/xlib/qxlibwindowsurface.cpp
++++ b/src/plugins/platforms/xlib/qxlibwindowsurface.cpp
+@@ -99,7 +99,7 @@ void QXlibWindowSurface::resizeShmImage(int width, int height)
+ 
+ 
+     image_info->shminfo.shmid = shmget (IPC_PRIVATE,
+-          image->bytes_per_line * image->height, IPC_CREAT|0777);
++          image->bytes_per_line * image->height, IPC_CREAT|0700);
+ 
+     image_info->shminfo.shmaddr = image->data = (char*)shmat (image_info->shminfo.shmid, 0, 0);
+     image_info->shminfo.readOnly = False;
+diff --git a/tools/qvfb/qvfbshmem.cpp b/tools/qvfb/qvfbshmem.cpp
+index 7f9671f..84b6ebe 100644
+--- a/tools/qvfb/qvfbshmem.cpp
++++ b/tools/qvfb/qvfbshmem.cpp
+@@ -176,13 +176,13 @@ QShMemViewProtocol::QShMemViewProtocol(int displayid, const QSize &s,
+     uint data_offset_value = sizeof(QVFbHeader);
+ 
+     int dataSize = bpl * h + data_offset_value;
+-    shmId = shmget(key, dataSize, IPC_CREAT | 0666);
++    shmId = shmget(key, dataSize, IPC_CREAT | 0600);
+     if (shmId != -1)
+ 	data = (unsigned char *)shmat(shmId, 0, 0);
+     else {
+ 	struct shmid_ds shm;
+ 	shmctl(shmId, IPC_RMID, &shm);
+-	shmId = shmget(key, dataSize, IPC_CREAT | 0666);
++    shmId = shmget(key, dataSize, IPC_CREAT | 0600);
+ 	if (shmId == -1) {
+             perror("QShMemViewProtocol::QShMemViewProtocol");
+             qFatal("Cannot get shared memory 0x%08x", key);
+-- 
+1.7.1
+
diff -Nru qt4-x11-4.8.2+dfsg/debian/patches/series qt4-x11-4.8.2+dfsg/debian/patches/series
--- qt4-x11-4.8.2+dfsg/debian/patches/series	2013-01-19 16:37:34.000000000 -0300
+++ qt4-x11-4.8.2+dfsg/debian/patches/series	2013-02-05 18:33:25.000000000 -0300
@@ -10,6 +10,7 @@
 make_rules_for_redirect_stricter.patch
 SSL-certificates-blacklist-mis-issued-Turktrust-cert.patch
 Fix_binary_incompatibility_between_openssl_versions.patch
+change_all_shmget_calls_to_use_user-only_memory.patch
 
 # qt-copy patches
 0195-compositing-properties.diff
-- 
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-talk

Reply via email to