Debian Bug report logs -
#699870
[CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable
Reported by: Luciano Bello <luciano@debian.org>
Date: Wed, 6 Feb 2013 02:21:02 UTC
Severity: important
Tags: patch, security
Found in versions 4:4.6.3-4+squeeze1, 4:4.8.2+dfsg-10
Fixed in version qt4-x11/4:4.8.2+dfsg-11
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#699870
; Package qt4-x11
.
(Wed, 06 Feb 2013 02:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Wed, 06 Feb 2013 02:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: qt4-x11
Severity: important
Tags: security patch
Justification: user security hole
Hi Qt/KDE Maintainers,
This vulnerability had been reported against qt4-x11:
http://permalink.gmane.org/gmane.comp.lib.qt.devel/9759
The patch for 4.8 (which is in testing and sid) is available. For 4.6 looks
quite easy to port. Can build and test a patch for stable in order to release a
DSA?
Thanks, luciano
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Wed, 06 Feb 2013 07:48:06 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>
:
Bug acknowledged by developer.
(Wed, 06 Feb 2013 07:48:06 GMT) (full text, mbox, link).
Message #10 received at 699870-done@bugs.debian.org (full text, mbox, reply):
Source: qt4-x11
Source-Version: 4:4.8.2+dfsg-11
On Wed, Feb 06, 2013 at 03:18:07AM +0100, Luciano Bello wrote:
> Package: qt4-x11
> Severity: important
> Tags: security patch
> Justification: user security hole
>
> Hi Qt/KDE Maintainers,
> This vulnerability had been reported against qt4-x11:
> http://permalink.gmane.org/gmane.comp.lib.qt.devel/9759
> The patch for 4.8 (which is in testing and sid) is available. For 4.6 looks
> quite easy to port. Can build and test a patch for stable in order to release a
> DSA?
For unstable this was fixed in 4:4.8.2+dfsg-11. Closing manually as
changelog entry did not contain the bug closer.
Regards,
Salvatore
Marked as found in versions 4:4.8.2+dfsg-10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 06 Feb 2013 08:00:03 GMT) (full text, mbox, link).
Marked as found in versions 4:4.6.3-4+squeeze1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 06 Feb 2013 08:00:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 11 Mar 2013 07:27:45 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Aug 2013 19:45:10 GMT) (full text, mbox, link).
Changed Bug title to '[CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable' from 'CVE-2013-0254] Qt Project Security Advisory: System V shared memory segments created world-writeable'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Aug 2013 19:45:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#699870
; Package qt4-x11
.
(Sun, 18 Aug 2013 19:54:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Sun, 18 Aug 2013 19:54:08 GMT) (full text, mbox, link).
Message #25 received at 699870@bugs.debian.org (full text, mbox, reply):
Hi Qt/KDE Maintainers,
On Wed, Feb 06, 2013 at 03:18:07AM +0100, Luciano Bello wrote:
> Package: qt4-x11
> Severity: important
> Tags: security patch
> Justification: user security hole
>
> Hi Qt/KDE Maintainers,
> This vulnerability had been reported against qt4-x11:
> http://permalink.gmane.org/gmane.comp.lib.qt.devel/9759
> The patch for 4.8 (which is in testing and sid) is available. For 4.6 looks
> quite easy to port. Can build and test a patch for stable in order to release a
> DSA?
Did you had a chance to look at this already? The patch for 4.7 is at
[1].
[1] http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#699870
; Package qt4-x11
.
(Sun, 18 Aug 2013 20:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Sun, 18 Aug 2013 20:15:04 GMT) (full text, mbox, link).
Message #30 received at 699870@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi Qt/KDE Maintainers,
Attached is a (yet at all untested) patch based on the commits for the
4.7 branch [1].
[1] http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10b1
Regards,
Salvatore
[97_CVE-2013-0254.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#699870
; Package qt4-x11
.
(Mon, 19 Aug 2013 00:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Lisandro Damián Nicanor Pérez Meyer" <perezmeyer@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 19 Aug 2013 00:39:04 GMT) (full text, mbox, link).
Message #35 received at 699870@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sunday 18 August 2013 22:11:39 Salvatore Bonaccorso wrote:
> Control: tags -1 + patch
>
> Hi Qt/KDE Maintainers,
>
> Attached is a (yet at all untested) patch based on the commits for the
> 4.7 branch [1].
>
> [1]
> http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10
> b1
This is from the top of my head: IIRC, this got into Wheezy and I was working
with a fix for Squeeze which also included some blacklisting stuff that was
objected by a reason I don't quite remember now.
Some time later, we released Wheezy.
I currently don't have a Squeeze installation at hand nor the time to look at
it. I don't know the if anyone of the rest of the team has some spare time to
look into this.
Kinds regards, Lisandro.
--
Un viejo proverbio de El.Machi dice que la memoria es como
las papas fritas... ¡nunca sobran!
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#699870
; Package qt4-x11
.
(Thu, 05 Sep 2013 20:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Thu, 05 Sep 2013 20:45:04 GMT) (full text, mbox, link).
Message #40 received at 699870@bugs.debian.org (full text, mbox, reply):
Hi Lisandro
[Really apologies not having replied earlier]
On Sun, Aug 18, 2013 at 09:37:06PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> On Sunday 18 August 2013 22:11:39 Salvatore Bonaccorso wrote:
> > Control: tags -1 + patch
> >
> > Hi Qt/KDE Maintainers,
> >
> > Attached is a (yet at all untested) patch based on the commits for the
> > 4.7 branch [1].
> >
> > [1]
> > http://qt.gitorious.org/qt/qt/commit/57756e72adf2081137b97f0e689dd16c770d10
> > b1
>
> This is from the top of my head: IIRC, this got into Wheezy and I was working
> with a fix for Squeeze which also included some blacklisting stuff that was
> objected by a reason I don't quite remember now.
>
> Some time later, we released Wheezy.
>
> I currently don't have a Squeeze installation at hand nor the time to look at
> it. I don't know the if anyone of the rest of the team has some spare time to
> look into this.
... probably the following: Sune Vuorela pointed to #700530[1]. If the
above patches are applied, this introduces the problem mentioned on
kfreebsd-i386 and kfreebsd-amd64.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#699870
; Package qt4-x11
.
(Tue, 10 Sep 2013 02:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Tue, 10 Sep 2013 02:21:04 GMT) (full text, mbox, link).
Message #45 received at 699870@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thursday 05 September 2013 22:41:36 Salvatore Bonaccorso wrote:
> Hi Lisandro
>
> [Really apologies not having replied earlier]
Well, you are not the only one :) My apologies too.
[snip]
> > I currently don't have a Squeeze installation at hand nor the time to look
> > at it. I don't know the if anyone of the rest of the team has some spare
> > time to look into this.
>
> ... probably the following: Sune Vuorela pointed to #700530[1]. If the
> above patches are applied, this introduces the problem mentioned on
> kfreebsd-i386 and kfreebsd-amd64.
Indeed, that was *another* reason :) I've already forgot that one. Yes,
applying the patch to fix the CVS will surely trigger an RC bug for kbsd* :-(
The other reason was [0]. Luciano correctly pointed out that it would be much
better to centralize that blacklisting stuff, and while I agree with the idea
behind it, this is something which has to be implemented upstream for us to
accept it, for example, making upstream use 3rd party info for this cases.
This will hardly happen in Qt4 because it's already on maintainance mode.
In the case of Qt5 the code seems to exists [1] so maybe there is a chance.
I saddly lack the security [concepts software] knowledge and time to do this.
But if any of you want to try, do not heasitate to present patches upstream.
Kinds regards, Lisandro.
[0] <http://patch-tracker.debian.org/patch/series/view/qt4-x11/4:4.8.2+dfsg-11/SSL-certificates-blacklist-mis-issued-Turktrust-cert.patch>
[1] <http://sources.debian.net/src/qtbase-opensource-src/5.1.1+dfsg-2/src/network/ssl/qsslcertificate.cpp?hl=1216#L1174>
--
Los errores ortográficos y de redacción fueron insertados con la única
intención de testear sus conocimientos de la lengua castellana.
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 20 Nov 2013 07:35:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:28:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.