Bug#700182: marked as done (unblock: qt4-x11/4:4.8.2+dfsg-11)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 09 Feb 2013 19:21:16 +0000
with message-id <1360437676.7444.11.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#700182: unblock: qt4-x11/4:4.8.2+dfsg-11
has caused the Debian Bug report #700182,
regarding unblock: qt4-x11/4:4.8.2+dfsg-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
700182: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700182
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: qt4-x11/4:4.8.2+dfsg-11
• From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
• Date: Sat, 09 Feb 2013 12:17:52 -0300
• Message-id: <20130209151752.1854.33699.reportbug@dumbledore.dumbledore.com.ar>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package qt4-x11

Hi! This upload fixes shmget calls to get user-only memory, CVE-2013-0254
and RC bug #699870.

diffstat qt4-x11.diff 
 changelog                                                     |   10 
 patches/change_all_shmget_calls_to_use_user-only_memory.patch |  148 ++++++++++
 patches/series                                                |    1 
 3 files changed, 159 insertions(+)

Kinds regards, Lisandro.

unblock qt4-x11/4:4.8.2+dfsg-11

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru qt4-x11-4.8.2+dfsg/debian/changelog qt4-x11-4.8.2+dfsg/debian/changelog
--- qt4-x11-4.8.2+dfsg/debian/changelog	2013-01-19 16:48:19.000000000 -0300
+++ qt4-x11-4.8.2+dfsg/debian/changelog	2013-02-05 18:52:39.000000000 -0300
@@ -1,3 +1,13 @@
+qt4-x11 (4:4.8.2+dfsg-11) unstable; urgency=medium
+
+  * Take upstream patch change_all_shmget_calls_to_use_user-only_memory.patch.
+    It changes the shmget calls to get user-only memory, CVE-2013-0254.
+    - Set urgency to medium.
+    - Drop changes from tests/auto/qtipc/qsharedmemory/tst_qsharedmemory.cpp,
+    it doesn't exists in the Debian tarball.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>  Tue, 05 Feb 2013 18:52:29 -0300
+
 qt4-x11 (4:4.8.2+dfsg-10) unstable; urgency=medium
 
   * Add SSL-certificates-blacklist-mis-issued-Turktrust-cert.patch to blacklist
diff -Nru qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch
--- qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch	1969-12-31 21:00:00.000000000 -0300
+++ qt4-x11-4.8.2+dfsg/debian/patches/change_all_shmget_calls_to_use_user-only_memory.patch	2013-02-05 18:50:16.000000000 -0300
@@ -0,0 +1,148 @@
+From 20b26bdb3dd5e46b01b9a7e1ce8342074df3c89c Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
+Date: Sat, 22 Dec 2012 08:32:12 -0800
+Description: [PATCH] Change all shmget calls to user-only memory
+ Drop the read and write permissions for group and other users in the
+ system.
+ .
+ The tests/auto/qtipc/qsharedmemory/tst_qsharedmemory.cpp does
+ not exists in the current Debian tarball, so we removed it.
+
+Change-Id: I8fc753f09126651af3fb82df3049050f0b14e876
+(cherry-picked from Qt 5 commit 856f209fb63ae336bfb389a12d2a75fa886dc1c5)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/corelib/kernel/qsharedmemory_unix.cpp          |    6 +++---
+ src/corelib/kernel/qsystemsemaphore_unix.cpp       |    4 ++--
+ src/gui/image/qnativeimage.cpp                     |    2 +-
+ src/gui/image/qpixmap_x11.cpp                      |    2 +-
+ src/plugins/platforms/xcb/qxcbwindowsurface.cpp    |    2 +-
+ src/plugins/platforms/xlib/qxlibwindowsurface.cpp  |    2 +-
+ .../auto/qtipc/qsharedmemory/tst_qsharedmemory.cpp |    2 +-
+ tools/qvfb/qvfbshmem.cpp                           |    4 ++--
+ 8 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/corelib/kernel/qsharedmemory_unix.cpp b/src/corelib/kernel/qsharedmemory_unix.cpp
+index 20d76e3..4cf3acf 100644
+--- a/src/corelib/kernel/qsharedmemory_unix.cpp
++++ b/src/corelib/kernel/qsharedmemory_unix.cpp
+@@ -238,7 +238,7 @@ bool QSharedMemoryPrivate::create(int size)
+     }
+ 
+     // create
+-    if (-1 == shmget(unix_key, size, 0666 | IPC_CREAT | IPC_EXCL)) {
++    if (-1 == shmget(unix_key, size, 0600 | IPC_CREAT | IPC_EXCL)) {
+         QString function = QLatin1String("QSharedMemory::create");
+         switch (errno) {
+         case EINVAL:
+@@ -293,7 +293,7 @@ bool QSharedMemoryPrivate::attach(QSharedMemory::AccessMode mode)
+ {
+ #ifndef QT_POSIX_IPC
+     // grab the shared memory segment id
+-    int id = shmget(unix_key, 0, (mode == QSharedMemory::ReadOnly ? 0444 : 0660));
++    int id = shmget(unix_key, 0, (mode == QSharedMemory::ReadOnly ? 0400 : 0600));
+     if (-1 == id) {
+         setErrorString(QLatin1String("QSharedMemory::attach (shmget)"));
+         return false;
+@@ -381,7 +381,7 @@ bool QSharedMemoryPrivate::detach()
+     size = 0;
+ 
+     // Get the number of current attachments
+-    int id = shmget(unix_key, 0, 0444);
++    int id = shmget(unix_key, 0, 0400);
+     cleanHandle();
+ 
+     struct shmid_ds shmid_ds;
+diff --git a/src/corelib/kernel/qsystemsemaphore_unix.cpp b/src/corelib/kernel/qsystemsemaphore_unix.cpp
+index fad9acc..e77456b 100644
+--- a/src/corelib/kernel/qsystemsemaphore_unix.cpp
++++ b/src/corelib/kernel/qsystemsemaphore_unix.cpp
+@@ -153,10 +153,10 @@ key_t QSystemSemaphorePrivate::handle(QSystemSemaphore::AccessMode mode)
+     }
+ 
+     // Get semaphore
+-    semaphore = semget(unix_key, 1, 0666 | IPC_CREAT | IPC_EXCL);
++    semaphore = semget(unix_key, 1, 0600 | IPC_CREAT | IPC_EXCL);
+     if (-1 == semaphore) {
+         if (errno == EEXIST)
+-            semaphore = semget(unix_key, 1, 0666 | IPC_CREAT);
++            semaphore = semget(unix_key, 1, 0600 | IPC_CREAT);
+         if (-1 == semaphore) {
+             setErrorString(QLatin1String("QSystemSemaphore::handle"));
+             cleanHandle();
+diff --git a/src/gui/image/qnativeimage.cpp b/src/gui/image/qnativeimage.cpp
+index 9654afe..fef38c5 100644
+--- a/src/gui/image/qnativeimage.cpp
++++ b/src/gui/image/qnativeimage.cpp
+@@ -176,7 +176,7 @@ QNativeImage::QNativeImage(int width, int height, QImage::Format format,bool /*
+ 
+     bool ok;
+     xshminfo.shmid = shmget(IPC_PRIVATE, xshmimg->bytes_per_line * xshmimg->height,
+-                            IPC_CREAT | 0777);
++                            IPC_CREAT | 0700);
+     ok = xshminfo.shmid != -1;
+     if (ok) {
+         xshmimg->data = (char*)shmat(xshminfo.shmid, 0, 0);
+diff --git a/src/gui/image/qpixmap_x11.cpp b/src/gui/image/qpixmap_x11.cpp
+index 280d8bd..88c9b7b 100644
+--- a/src/gui/image/qpixmap_x11.cpp
++++ b/src/gui/image/qpixmap_x11.cpp
+@@ -193,7 +193,7 @@ static bool qt_create_mitshm_buffer(const QPaintDevice* dev, int w, int h)
+     bool ok;
+     xshminfo.shmid = shmget(IPC_PRIVATE,
+                              xshmimg->bytes_per_line * xshmimg->height,
+-                             IPC_CREAT | 0777);
++                             IPC_CREAT | 0700);
+     ok = xshminfo.shmid != -1;
+     if (ok) {
+         xshmimg->data = (char*)shmat(xshminfo.shmid, 0, 0);
+diff --git a/src/plugins/platforms/xcb/qxcbwindowsurface.cpp b/src/plugins/platforms/xcb/qxcbwindowsurface.cpp
+index b6a42d8..0d56821 100644
+--- a/src/plugins/platforms/xcb/qxcbwindowsurface.cpp
++++ b/src/plugins/platforms/xcb/qxcbwindowsurface.cpp
+@@ -98,7 +98,7 @@ QXcbShmImage::QXcbShmImage(QXcbScreen *screen, const QSize &size, uint depth, QI
+                                           0);
+ 
+     m_shm_info.shmid = shmget (IPC_PRIVATE,
+-          m_xcb_image->stride * m_xcb_image->height, IPC_CREAT|0777);
++          m_xcb_image->stride * m_xcb_image->height, IPC_CREAT|0600);
+ 
+     m_shm_info.shmaddr = m_xcb_image->data = (quint8 *)shmat (m_shm_info.shmid, 0, 0);
+     m_shm_info.shmseg = xcb_generate_id(xcb_connection());
+diff --git a/src/plugins/platforms/xlib/qxlibwindowsurface.cpp b/src/plugins/platforms/xlib/qxlibwindowsurface.cpp
+index bf003eb..46a2f97 100644
+--- a/src/plugins/platforms/xlib/qxlibwindowsurface.cpp
++++ b/src/plugins/platforms/xlib/qxlibwindowsurface.cpp
+@@ -99,7 +99,7 @@ void QXlibWindowSurface::resizeShmImage(int width, int height)
+ 
+ 
+     image_info->shminfo.shmid = shmget (IPC_PRIVATE,
+-          image->bytes_per_line * image->height, IPC_CREAT|0777);
++          image->bytes_per_line * image->height, IPC_CREAT|0700);
+ 
+     image_info->shminfo.shmaddr = image->data = (char*)shmat (image_info->shminfo.shmid, 0, 0);
+     image_info->shminfo.readOnly = False;
+diff --git a/tools/qvfb/qvfbshmem.cpp b/tools/qvfb/qvfbshmem.cpp
+index 7f9671f..84b6ebe 100644
+--- a/tools/qvfb/qvfbshmem.cpp
++++ b/tools/qvfb/qvfbshmem.cpp
+@@ -176,13 +176,13 @@ QShMemViewProtocol::QShMemViewProtocol(int displayid, const QSize &s,
+     uint data_offset_value = sizeof(QVFbHeader);
+ 
+     int dataSize = bpl * h + data_offset_value;
+-    shmId = shmget(key, dataSize, IPC_CREAT | 0666);
++    shmId = shmget(key, dataSize, IPC_CREAT | 0600);
+     if (shmId != -1)
+ 	data = (unsigned char *)shmat(shmId, 0, 0);
+     else {
+ 	struct shmid_ds shm;
+ 	shmctl(shmId, IPC_RMID, &shm);
+-	shmId = shmget(key, dataSize, IPC_CREAT | 0666);
++    shmId = shmget(key, dataSize, IPC_CREAT | 0600);
+ 	if (shmId == -1) {
+             perror("QShMemViewProtocol::QShMemViewProtocol");
+             qFatal("Cannot get shared memory 0x%08x", key);
+-- 
+1.7.1
+
diff -Nru qt4-x11-4.8.2+dfsg/debian/patches/series qt4-x11-4.8.2+dfsg/debian/patches/series
--- qt4-x11-4.8.2+dfsg/debian/patches/series	2013-01-19 16:37:34.000000000 -0300
+++ qt4-x11-4.8.2+dfsg/debian/patches/series	2013-02-05 18:33:25.000000000 -0300
@@ -10,6 +10,7 @@
 make_rules_for_redirect_stricter.patch
 SSL-certificates-blacklist-mis-issued-Turktrust-cert.patch
 Fix_binary_incompatibility_between_openssl_versions.patch
+change_all_shmget_calls_to_use_user-only_memory.patch
 
 # qt-copy patches
 0195-compositing-properties.diff

--- End Message ---

--- Begin Message ---

• To: Lisandro Damián NicanorPérez Meyer <lisandro@debian.org>, 700182-done@bugs.debian.org
• Subject: Re: Bug#700182: unblock: qt4-x11/4:4.8.2+dfsg-11
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 09 Feb 2013 19:21:16 +0000
• Message-id: <1360437676.7444.11.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <20130209151752.1854.33699.reportbug@dumbledore.dumbledore.com.ar>
• References: <20130209151752.1854.33699.reportbug@dumbledore.dumbledore.com.ar>

On Sat, 2013-02-09 at 12:17 -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> Please unblock package qt4-x11
> 
> Hi! This upload fixes shmget calls to get user-only memory, CVE-2013-0254
> and RC bug #699870.

Unblocked; thanks.

Regards,

Adam

--- End Message ---