On Wed, Oct 09, 2013 at 08:51:54PM +0100, Stuart Henderson wrote: > > > -------------------- > > > - Change all shmget calls to user-only memory (security) > > > > > > So yes, the problem is due to qt4, which use more strict permissions > > > for shmget. > > > > The aforementioned change was done to fix CVE-2013-0254. > > > > Here's the commit: > > > > https://qt.gitorious.org/qt/qt/commit/20b26bdb3dd5e46b01b9a7e1ce8342074df3c89c?format=patch > > > > So what now? Revert a security fix? > > Debian ran into this with kfreebsd, they have applied this to xserver > > http://people.debian.org/~jcristau/kbsd-peercred.diff
This is related, but not the same issue. On other systems the X server is still running as root and thus has full access to shared memory segments. Since a client can pass a shm id to the X server and as it to render the image contained herein, this would allow any X client to read arbitrary shms on which they have normally no access: http://www.securityfocus.com/bid/4396 So the X server has to re-implement access() to check if the uid/gid of the client asking the X server to access a given shmid have the required privilege or not. And thus in this case it's important to have a working getpeercred() or similar to do the check. So this won't help in our case. -- Matthieu Herrb
