Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 455884 (CVE-2013-0254) - <dev-qt/qt{core-4.8.4-r2,gui-4.8.4-r1}: Shared Memory Segment Manipulation Weakness (CVE-2013-0254)
Summary: <dev-qt/qt{core-4.8.4-r2,gui-4.8.4-r1}: Shared Memory Segment Manipulation We...
Alias: CVE-2013-0254
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2013-02-06 17:05 UTC by Agostino Sarubbo
Modified: 2013-11-22 11:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-06 17:05:14 UTC
From $URL :

A weakness has been reported in Qt, which can be exploited by malicious, local users to bypass 
certain security restrictions.

The weakness is caused due to the Qt library creating shared memory blocks with world-readable and 
world-writable permissions, which can be exploited to overwrite arbitrary data in the shared memory 
or read arbitrary data from the memory.

The weakness is reported in versions 4.4.0 through 5.0.0.

Comment 1 Davide Pesavento gentoo-dev 2013-02-09 08:08:08 UTC
qt-gui is affected as well.
Comment 2 Davide Pesavento gentoo-dev 2013-02-09 08:38:06 UTC
Arches, please stabilize:

Comment 3 Sergey Popov gentoo-dev 2013-02-09 19:13:23 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-09 20:12:04 UTC
ia64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-10 14:42:43 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-02-10 17:21:09 UTC
ppc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-11 00:07:41 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-11 11:15:30 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-02-12 21:04:58 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-02-12 21:05:25 UTC
alpha stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:18:26 UTC
CVE-2013-0254 (
  The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6,
  and other versions including 4.4.0 uses weak permissions (world-readable and
  world-writable) for shared memory segments, which allows local users to read
  sensitive information or modify critical program data, as demonstrated by
  reading a pixmap being sent to an X server.
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-11 17:50:11 UTC
sparc stable
Comment 13 Davide Pesavento gentoo-dev 2013-03-12 05:51:38 UTC
All done for us.

  12 Mar 2013; Davide Pesavento <> -qtcore-4.8.4.ebuild:
  Punt vulnerable version.

  12 Mar 2013; Davide Pesavento <> -qtgui-4.8.4.ebuild:
  Punt vulnerable version.
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-14 12:13:24 UTC
GLSA vote: yes.
Comment 15 Sergey Popov gentoo-dev 2013-08-22 10:35:17 UTC
GLSA vote: yes

Adding to existing GLSA draft
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-11-22 11:10:29 UTC
This issue was resolved and addressed in
 GLSA 201311-14 at
by GLSA coordinator Sergey Popov (pinkbyte).