Linux vendors react to Qt flaw

Several Linux vendors have issued patches for a serious vulnerability in the widely-used Qt library, which could allow an attacker to take control of a system.

Since late last week, Red Hat, the Gentoo Foundation, Novell's SuSE and MandrakeSoft have all begun distributing updated Qt packages fixing the problem.

The flaw is in Qt, a software toolkit used in writing graphical user interface applications using the X Window system in Unix and Linux.

Security researcher, Chris Evans, discovered a bug in the part of the Qt library which decodes bitmap (BMP) image files: an attacker could use a specially-crafted bitmap file to crash any application using the Qt BMP decoder, potentially also executing malicious code. The bug affects Qt versions earlier than 3.3.3, according to researchers.

Additional flaws in Qt's decoders for GIF, XPM and JPEG images could crash applications, but did not allow code execution, researchers said. "Users of Qt should update to these updated packages," Red Hat said.

Earlier this month, Linux vendors urged users to patch a serious bug in the popular Mplayer media player application, which also allowed code execution. However, developers have warned that more bugs of the same sort are likely to be uncovered in Mplayer's graphical user interface and recommended administrators to switch the interface off.

The application ships with most major Linux distributions.