Security Vulnerability in Linux Qt Toolkit Fixed

Linux vendors have issued patches to address vulnerability in the Qt, a software toolkit that simplifies writing and maintaining GUI applications for the X Window system.

The flaw was unveiled by security researcher Chris Evans, who uncovered a heap overflow in the BMP image decoder in Qt versions prior to 3.3.3. Flaws were also discovered in prior Qt versions in the XPM, GIF and JPEG decoders.

By using the vulnerabilities, an attacker could use a BMP file to crash an application linked to Qt or execute arbitrary code when a file is opened by an unsuspecting user.

In response to the security alert, Red Hat, the Gentoo Foundation, SuSE and MandrakeSoft have begun distributing Qt packages that will patch the flaw.

Patch Work

Fixing the Qt flaw quickly was a priority, said Thomas Biege, a member of the SuSE security support and auditing team, in an interview with LinuxInsider.

He noted, “Every application which is linked against the Qt3 library and used the vulnerable function of image handling can be crashed or exploited to execute arbitrary code by processing a malformed image.”

To clarify what made the flaw serious enough to require immediate attention, Biege said, “Think about an attacker putting such an image on his Web site or in a forum.”

If that were to happen, everyone using a browser that uses Qt3 to handle the images would become a victim of the attack.

SuSE and other major Linux vendors have a wealth of patches available for the problem and are urging users to install the updated packages to minimize the threat.

Bug Hunt

Other vulnerabilities have been reported recently as well. Earlier this year, Linux vendors told users about a bug in Mplayer, a media player application, which could give a remote attacker the ability to execute malicious code on a Linux or Unix system.

As soon as the bug was discovered, Gentoo Linux released an advisory telling users to upgrade to a newer version of Mplayer. But developers warned that more bugs were likely to appear in the application’s GUI.

In a message to an Mplayer developer e-mail list in June, programmer Richard Felker noted that he had uncovered many buffer overflows in the file, and advised against using the GUI. He added that the code was so “nasty and broken” that it was not worth his time to fix it.

Since the bug was reported, Secunia and Internet Security Systems have given the Mplayer bug a high-risk rating.

SuSE also has noted that the Web browser Opera is affected by several security bugs. The company added that it has not been able to provide security updates in a timely manner, and instead has to wait for binary packages to be published by Opera.

Get the Spackle

In terms of future vulnerabilities, applications developed with Linux are not so different from proprietary applications when it comes to flaws and bugs.

“What you’re talking about is lines of code,” Yankee Group analyst Laura DiDio told LinuxInsider. “Whether that’s developed by a community or a company, there will be flaws. There’s no code that doesn’t have vulnerabilities.”

She added that some Linux users have considered themselves more protected in terms of security than users of Windows systems, but that attitude will change as more flaws emerge. “Linux customers need to be just as concerned about security as someone who’s using Windows or Unix,” she said.

Fortunately, the response to Linux-related security threats tends to be swift, as the Qt problem has demonstrated. One reason for quick action is the cohesion of the Linux community, which involves vendors and individuals in the fight against threats.

“The more people you have working on a problem, the faster it’ll get solved,” said DiDio. “Linux security is a prime example of that.”