Control: tags -1 + patch Hi Qt/KDE Maintainers,
Attached is a (yet at all untested) patch based on the commits for the 4.7 branch [1]. [1] http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1 Regards, Salvatore
Description: Fix CVE-2013-0254 System V shared memory segments created world-writeable . Change all shmget calls to user-only memory . Drop the read and write permissions for group and other users in the system. Origin: http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1 Bug-Debian: http://bugs.debian.org/699870 Forwarded: not-needed Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2013-08-18 Applied-Upstream: 5.0.1, 4.8.5, 4.7.6 --- a/src/corelib/kernel/qsharedmemory_unix.cpp +++ b/src/corelib/kernel/qsharedmemory_unix.cpp @@ -199,7 +199,7 @@ } // create - if (-1 == shmget(handle(), size, 0666 | IPC_CREAT | IPC_EXCL)) { + if (-1 == shmget(handle(), size, 0600 | IPC_CREAT | IPC_EXCL)) { QString function = QLatin1String("QSharedMemory::create"); switch (errno) { case EINVAL: @@ -223,7 +223,7 @@ if (!handle()) return false; - int id = shmget(handle(), 0, (mode == QSharedMemory::ReadOnly ? 0444 : 0660)); + int id = shmget(handle(), 0, (mode == QSharedMemory::ReadOnly ? 0400 : 0600)); if (-1 == id) { setErrorString(QLatin1String("QSharedMemory::attach (shmget)")); return false; @@ -269,7 +269,7 @@ // Get the number of current attachments if (!handle()) return false; - int id = shmget(handle(), 0, 0444); + int id = shmget(handle(), 0, 0400); unix_key = 0; struct shmid_ds shmid_ds; --- a/src/corelib/kernel/qsystemsemaphore_unix.cpp +++ b/src/corelib/kernel/qsystemsemaphore_unix.cpp @@ -143,10 +143,10 @@ } // Get semaphore - semaphore = semget(unix_key, 1, 0666 | IPC_CREAT | IPC_EXCL); + semaphore = semget(unix_key, 1, 0600 | IPC_CREAT | IPC_EXCL); if (-1 == semaphore) { if (errno == EEXIST) - semaphore = semget(unix_key, 1, 0666 | IPC_CREAT); + semaphore = semget(unix_key, 1, 0600 | IPC_CREAT); if (-1 == semaphore) { setErrorString(QLatin1String("QSystemSemaphore::handle")); cleanHandle(); --- a/src/gui/image/qnativeimage.cpp +++ b/src/gui/image/qnativeimage.cpp @@ -173,7 +173,7 @@ bool ok; xshminfo.shmid = shmget(IPC_PRIVATE, xshmimg->bytes_per_line * xshmimg->height, - IPC_CREAT | 0777); + IPC_CREAT | 0700); ok = xshminfo.shmid != -1; if (ok) { xshmimg->data = (char*)shmat(xshminfo.shmid, 0, 0); --- a/src/gui/image/qpixmap_x11.cpp +++ b/src/gui/image/qpixmap_x11.cpp @@ -193,7 +193,7 @@ bool ok; xshminfo.shmid = shmget(IPC_PRIVATE, xshmimg->bytes_per_line * xshmimg->height, - IPC_CREAT | 0777); + IPC_CREAT | 0700); ok = xshminfo.shmid != -1; if (ok) { xshmimg->data = (char*)shmat(xshminfo.shmid, 0, 0); --- a/tools/qvfb/qvfbshmem.cpp +++ b/tools/qvfb/qvfbshmem.cpp @@ -174,13 +174,13 @@ uint data_offset_value = sizeof(QVFbHeader); int dataSize = bpl * h + data_offset_value; - shmId = shmget(key, dataSize, IPC_CREAT | 0666); + shmId = shmget(key, dataSize, IPC_CREAT | 0600); if (shmId != -1) data = (unsigned char *)shmat(shmId, 0, 0); else { struct shmid_ds shm; shmctl(shmId, IPC_RMID, &shm); - shmId = shmget(key, dataSize, IPC_CREAT | 0666); + shmId = shmget(key, dataSize, IPC_CREAT | 0600); if (shmId == -1) { perror("QShMemViewProtocol::QShMemViewProtocol"); qFatal("Cannot get shared memory 0x%08x", key);
