Slashdot Mirror
Homeland Security Uncovers Critical Flaw in X11
Amy's Robot writes "An open-source security audit program funded by the U.S. Department of
Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.
Check the CVS server. OpenBSD 0wns again!
In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.
Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".
liqbase
They uncovered only one flaw? Sheesh.
Kudos to the heroes who painstakingly reinserted the missing parenthesis!
You see? You see? Your stupid minds! Stupid! Stupid!
A missing parentheses in a bit of code is to blame...the flaw has already been corrected.
Any word on exactly what the fix was?
Wanted: witty unique signature. Must be willing to relocate.
Shouldn't that be:
(X11 sucks monkey cock
Would you have felt better if they hadn't found the flaw?
how long has this hole been in X11, i wonder?
Already corrected on what?
Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?
Oh sure, I'm trolling - but the point is this ISN'T updated on machines around the world. It's updated on a few machines that HAVE some sort of auto-update service (of which many required a fee with your "enterprise service license") and it may or may not be updated when you install a new machine.
I know *MY* servers aren't updated...yet.
That the compilers have a flaw as well? You would think that the semantic rules would catch this and throw a compiler error for a missing parenthesis but maybe I am missing something.
-- Brought to you by Carl's JR
Finally Homeland security has done something noteworthy. I'm glad this benefits the X11 community.
the answers you get depend on the questions you ask.
I wonder if Miles Papazian discovered the flaw by reading the binary or by utilizing a machine-coded matrix?
I hope stupidity isn't contagious or else I might become like you. Go back to digg where you belong.
Please, for the good of Humanity, vote Obama.
I'm not much in the ways of code, but shouldn't the compiler have caught the problem? Doesn't it hit an error if not all of your parenthesees (phonetic) are closed?
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
excuse my lack of programming 1337-ness, but what kind of code would compile with a missing parenthesis?
X11 is actually written entirely in LISP, and therefore there are too many parentheses for a mere mortal to ever get straight.
XML is like violence. If it doesn't solve the problem, use more.
Any word on whether this vulnerability is a risk for those using x11 within osx? TFA mentioned that the X windowing system shipped with OS X without stating what level of risk exists.
If the compiler doesn't have a problem with unmatched parentheses, to prevent any such problems in the future, simply insert) closing) parentheses) instead) of) spaces).
p.s. If it is an easy exploit, please do NOT show me a demonstration.
...
If you're wondering, here is the relevant SUSE security advisory from 21.3 - http://www.novell.com/linux/security/advisories/20 06_16_xorgx11server.html
I'm using debian 3.1. Is this something I'm going to have to run dist-update for? (the 'crap' is because I'd have to update over dialup).
As this only affects 6.9 and 7.0 (RTFM), you'd need some form of auto-update to actually be exposed. Most distroes are still at 6.8.
M.
The US government is only publicizing this because Microsoft has enough money to bribe it, and it needs some heat taken off it's own flaws!
Just kidding...
--- "Remember, there's a difference between bowing down and bending over." -Frank Zappa
That is used as test each semester for MIT students. So, if it were available on the web, then it would remove an afternoons work.
I prefer the "u" in honour as it seems to be missing these days.
1) Insert a missing parentheses.
2) Get a new coffee machine. The old one made the coffee horrible.
3) Break
4) Hire more TSA agents. Sure, there are already about 15 extra ones at every airport...
5) Another break.
6) Profit?
(And yes, it drives me crazy to see TONS of TSA Agents everywhere, doing nothing.)
if you said a + b * c but you really wanted (a + b) * c the compiler won't bleat.
Engineering is the art of compromise.
Hang on... a missing parenthesis would cause a compilation error ... am I missing something?
Actually, it was not a missing parenthesis, but a missing parenthetical.
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true);
And the patched code:
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true); (just kidding!)
The fix was posted before, but the problem was that someone used "geteuid" rather than "geteuid()".
This results in making use of the function address rather than the return value of the function, which could cause difficulties.
So, how is this different from this? I haven't read enough of either, they could be related...
Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)
The truth shall set you free!
brilliant sir i applaud you
What a novel concept
g 2006-03-17 23:30:10.0000 /* First the options that are only allowed for root */
actual code patch:
--- programs/Xserver/hw/xfree86/common/xf86Init.c.ori
00000 +0200
+++ programs/Xserver/hw/xfree86/common/xf86Init.c 2006-03-17 23:29:35.0000
00000 +0200
@@ -1376,7 +1376,7 @@
}
- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)
{
if (!strcmp(argv[i], "-modulepath"))
{
@@ -1679,7 +1679,7 @@
}
if (!strcmp(argv[i], "-configure"))
{
- if (getuid() != 0 && geteuid == 0) {
+ if (getuid() != 0 && geteuid() == 0) {
ErrorF("The '-configure' option can only be used by root.\n");
exit(1);
}
Bug:
https://bugs.freedesktop.org/show_bug.cgi?id=6213
ELOI, ELOI, LAMA SABACHTHANI!?
Just as with the WMD's, why are they looking for things that are not there? Oh wait, this is actually a good thing. :-)
Why is this newsworthy? I asume bugs and vulnerabilities are solved all the wile, right? If nothing else it at least shows that Open Source is working. The more eyes you have, the more errors are solved.
To the code: big brother is watching you.
Don't fight for your country, if your country does not fight for you.
-- Thou hast strayed far from the path of the Avatar.
I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.
To Alcohol! The cause of, and solution to, all of life's problems.
This is from march, why is everyone freaking out now?
The flaw may have been corrected in the source tree, but that says nothing for the tens of millions of X11 systems out in the field yet.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The advantage of open source shines through once again! This couldn't have happened with MS Windows, that's for sure... without access to the source code, this bug couldn't have been discovered, let alone fixed so quickly.
(And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)
My bicyles
At least we will see how was the Debian update infrastructure improved since last time, when it brought the server down on its knees.
..I just saw a story on digg (washes mouth out with pee to get bad taste out of my mouth), and noticed that the FAA just announced they will be running linux to track flights. Maybe there is a tie in-between this find and that announcement?
Sig: I stole this sig.
is getting close to being able to do what they portray on 24.
Jack: I'm running out of time. I need that salelite image.
Chloe: I opened a socket into a NASA server and retasking the satelite.
Jack: Great, download the image to my PDA.
Chloe: I need your IP address.
Jack: 1.2.123.129
Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
Jack: I've got it. Thanks Chloe.
Chloe: Whatever...
AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.
I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.
Open Source for Open Minds
AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf.
The article specified local. Whether this would work over the net could be a subject of debate. You might be right and the article did not touch on remote X sessions.
The truth shall set you free!
Depends,
Have you paid your Moses Fee?
(let my packets go....) [as sung to 'let my people go']
Less Talk. More Stab.
"Whereas Europeans generally pronounce my name the right way ('Ni-klows Wirt'), Americans invariably mangle it into 'Nick-les Worth'. This is to say that Europeans call me by name, but Americans call me by value."
http://en.wikipedia.org/wiki/Niklaus_Wirth
So was the X11 bug in European or American code?
The buggy code looks like what some guy would insert into the source code to create a root exploit.
Remember the attempted root exploit by obfuscated code in the linux kernel?
While serious, the flaw has already been corrected.
Of course, if the (another) flaw were discovered in Windows, it would hardly be newsworthy.
The government is in cohoots with Microsoft! This is all just a smear campaign because we KNOW that security vulnerabilities like this do NOT happen in Open Source software! The software goes through "many eyes" who catch these kinds of things. The fact that it occurs in recent and older versions of the software simply proves they're just smearing, and there's no basis for this in fact. I'm so tired of other people pointing out the security flaws in our software. Don't they understand we're working towards a common goal of ridding the world of Microsoft who make useful, but insecure software! We want the world to use software that's more difficult to use, but secure. That way, only people who know what they're doing will ever use a computer, just as our lord, Linus, says it should be. Torvaldo Fhtagn!
Please note: the above is a work of fiction, sarcasm and humor. If you didn't find it funny, pull the rod out of your ass and get a clue.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
The effective UID (euid) is changed when you run a setuid app, while the real UID (uid in this case, or ruid) is not.
The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.
There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.
if the-user-really-is-root or the-user-can-do-no-harm-trying
The second case is probably for debugging or for when using a non-setuid X server that relies on a kernel-based framebuffer device to control access.
did she already tazer that drunk dude too? ;)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I think we should throw a ticker-tape parade on behalf of the heroic inanimate carbon^Wparentheses!
(On an annoyingly pedantic note, I doubt very much it was a missing parenthesis, because that would fail to compile in every language I know. I do, however, believe that there were missing parentheses.)
ah -- this can not happen in ruby code ;)
geteuid
is the same as
geteuid()
if geteuid is a method or function in the scope
Jack: Sorry Chloe, that IP address was 163.56.1.276 Chloe: Trying it now Jack, thanks
-- "It's not stalking if you're married!" My Wife.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
The compiler's job is to turn any syntactically valid source code into executable code. It might warn you about syntactically dubious constructions. But compilers aren't designed to catch logic errors. While the presence of syntax errors tells you that the code is definitely wrong, the absence of syntax errors does not indicate that the code is correct.
An expressive, succinct, high-level language is still the better bet than a verbose language for producing quality code. All the verbose language does is make you type more, and probably increase the total number of typos. Working in Pascal just creates more syntax errors, which doesn't necessarily reduce the number of logic errors. If you insist on being verbose, your effort would be better spent on adding more assertions and comments to your code.
Unfortunately, if the goal is to produce quality code, C is succinct in all the wrong places, with shortcuts like if (a = b), and verbose in all the wrong places, such requiring you to do your own memory management.
I can just see the invoice for an audit on a closed-source project...
Quantity Item Price
1 pair parenthesis $ 1
1 knowing where they belong $999,999
total $1,000,000
the lameness filter hates crudely formmated posts and will make you resort to things even more crude
as if several sequential spaces do not compress well. yeah, right.
Important Stuff
Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
If you want replies to your comments sent to you, consider logging in or creating an account
Computers don't actually think. You just think they think. (We think.)
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2006 OSTG.
home
awards
contribute story
older articles
OSTG
advertise
about
terms of service
privacy
faq
rss
like this filler is worthwhile?
This flaw was found by a security audit of the code, which is an advantage of OSS, that such audits can be performed by third parties. But why didn't the ongoing peer reviews perfomred by the open source community themselves uncover this ages ago?
-- "I never gave these stories much credence." - HAL 9000
Jack: "That was a test. Chloe would have known that 276 is an illegal address byte. We have your room surrounded. Either come out now with your hands up, or take the cyanide pill."
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.
It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
So you'd like it more difficult to write code?
I'm sorry, but the point about C and C++ with their 'make it so' attitude, whether it's right or wrong.
This defect is a failure of the good old 'Mark 1 eyeball' when it came to submission, pure and simple.
The irony is that many programmers think that C and C++ are difficult languages on the basis that they don't 'Do what I mean'.
Maybe we should all be programming everything in Ada instead?
The point is, you do have to think about what you're doing when writing software. If you're not doing than, then I'm afraid that your sloppy thinking will come back and bite you in the arse sometime extremely soon. A software language is just a tool like any other, to use and misuse as you see fit...You sum up the pros and cons...
The fault is with the programming process, and no matter what tools you use to implement something, it will never make up for the carity of thought required to implement something well.
The concept of the language is to improve the visibility of what you're doing, and enable you to write software rapidly and reliably, but if no-one is checking what is written, then the choice of language is immaterial.
Although I'm not a great believer in the holy OSS, I would have thought that the concept of 'Many Eyeballs' would have picked it up earlier, although I gather that this has already been spotted and fixed in many situations.
That reminded me... Isn't it great that whoever decided to give a name to the phenomenon of "lisping" spelled it that way? So subtly evil!
To do list for Windows
Tiger shipped with (X11 1.1 - XFree86 4.4.0) and X11R6.9.0 and X11R7.0.0 are forked from that. So it could well affect Mac OS X. If it does it will be interesting to see how long it takes Apple to provide an update if at all, given that it's open source
I'm not exactly an expert on C, but I've often been confused by this:
In C, if I want the address of a variable X (say it's an int, float, double, char, etc - any C-defined data type), I would use the ampersand operator:
int x = 20;
int * ptr_x = &x;
So, why not use the same convention for getting the address of a function?
( skipping declaration of function_ptr because I don't remember the syntax for it - just been too long since I needed to declare a function pointer variable)
function_ptr = &myFunction
- sure it adds a little bit of verbosity (one character's not bad), but would make it more explicit that I want the address of the function. And, lacking the ampersand, you could then have the compiler throw an error.
Is there some subtelty of the C-language that such syntax would cause some sort of collision with another c construction? Like, for example, does the C language really use all function names as declarations of pointer variables, so that &myFunction is the address of the variable that holds the pointer to the actual function code, rather than the address of the code itself?
I dunno, but in any case, it should be more difficult, syntactically, seems to me, to run into this type of programming error than it actually is, apparently.
They found a critical flaw, however due to the invocation of State Secrets Privilege (http://en.wikipedia.org/wiki/State_Secrets_Privil ege) they are unable to discuss the matter any further.
Hmm. Well where I work most sites have a linux server that allows machines that are somewhat akin to thin clients to connect to a master X server.
It's actually an octet not a byte (in the above stated format)
;)
Who are you and where is the real jack
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
The set of those bearing this sig is composed of between zero and infinity thieves, and exactly one liar.
They're there affecting their effect.
The exploit mentioned in this article cannot be exploited by a user who isn't logged into your system - you have to be able to run the Xorg command with certain options. See X.Org's advisory at http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html
They actually found something.
Homeland Security was able to do the code audit on X11.
Maybe that really should be written as, because the source code was publicly available, Homeland Security was able to do this. How many of these types of faults exist in closed source software that no outside group had the chance to dig into like with X11 or OpenBSD or...
Graham
It's in code that allows you to do things like load code modules from other paths, so it's only allowed if you're already root or not running setuid-root. (It should probably check that you're not running setuid at all, but there's no real point having Xorg setuid to anyone but root, so no one has added that check.)
It's actually an octet not a byte (in the above stated format)
:P
;)
:P
Indeed, it's an octet within the 32-bit field. And the size of that octet (and indeed all octets) is 1 byte.
So your perfectly accurate observation merely highlights that the illegal 276 was trying unsuccessfully to be only one quarter part of the IP address, which we knew already.
Who are you and where is the real jack
The real Jack's hiding from pedants. You can see his point. And Chloe took the cyanide to keep the thread from growing.
They are trying to find sufficient errors in Linux code to explain why they were the only group of people in the world who didn't know a major hurricane could cause the levies to break in New Orleans. (They may be on Windows, hard to tell as they use Akimai to ensure uptime)
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Comment removed based on user account deletion
If it is, I need to patch my server ASAP.
My wife doesn't listen to me either...
If this results in a Government move to OSS, ensuring that it's as secure as the proponents (of which I am one) say, then I'm all for it! IIRC, TFA mentions a $1.2M price tag for this "security scanning". If that results in more OSS in Gov't, it's worth exponentially more than the current pricetag. I am longing for the day when I can use an OS that is open source. My little 55 person outfit has more than $1.2M of MS and supporting software, between the OS, Exchange, Office, Server, AD, card readers, AV, apps to "push down" upgrades, etc.., I get tired of having to drink the Kool-Aid
When are they gonna repeat this for Windows?
It is getting rather obvious that Microsoft can't be bothered to use automated code scanners; when will Homeland Security force themselves on the company whom 90% of everyone runs the OS from?
Hmmmm, no answer. Why is that?
Thank you, DHS. Today you have made the world safer.
I just checked, and stupid gcc does not produce any warning whatsoever. I tried it as C++, I tried -Wall and -W, and still nothing. Not a good showing there.
I think the proper warning is that the test is constant. "geteuid != 0" is always true.
Rumor has it the ISO C++ committee is likely to pass through a proposal for a new keyword, nullptr, which will have a "magic" type "pointer-to-anything" and has the value of the null pointer constant.
// #1 // #2
// # calls #2 // calls #1
So, E.g.:
struct A;
int f( A* );
int f( int );
int m = f( 0 );
int n = f( nullptr );
Of course, that wouldn't help in the aforementioned case. 0 will still be convertible to a pointer type as it is now; it's just that 'nullptr', being a pointer itself, makes for a "better" conversion to a real pointer type.
nullptr is supposed to be a non-disruptive pure extension (except for the fact that it breaks code that uses 'nullptr' as an identifier) -- meaning that it should not change the meaning of existing code.
A linux terminal server need only the X libraries, not even a single instance of an X server, which generally requires elevated privileges to run. I think I've seen work to correct that, but as it stands at large an X server runs as root and has to arbitrate security, whereas X applications linked to X libraries, displaying to a thin client over the network, the server has no root level code and only the thin client filesystem/system is at any risk.
XML is like violence. If it doesn't solve the problem, use more.
Unfortunately, the distros compete with the likes of Windows. As such, though technically speaking X on a multi-user system of any remote importance is a bad idea, if you shrug off X on servers Windows administrators may not like it as much. Install Red Hat or SuSE server oriented distributions and by default you still end up with a X environment. Good administrators know not to run X and it is powerful and even more convenient to run X apps remotely or inside a detachable VNC session. For small business to medium business/departmental servers, expect X servers to be the norm in the enterprise despite best practice.
The obvious solution is X not as root, so the worst you can do is screw around with the devices X really needs access to (screw around with the graphics, and local input devices, but an administrator can still ssh and have an intact, secure system in the ways that matter)
XML is like violence. If it doesn't solve the problem, use more.
That is very well written. Congratulations. You are winner.
"Computers don't actually think. You just think they think. (We think.)"
Even when we're on the brink
Of thinking what we think we think,
The honest eye should wink.
-Auden (of course. Sometime in the 70s.)
If it's in UTF16 on a 16-bit machine, or UTF32 on a 32-bit machine, then yes.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Starring Bruce Willis, of course, who assembles a crack team to go into the code and insert the missing punctuation before the world gets blown up.
"A missing parentheses in a bit of code is to blame. " how was the source able to compile?
That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.
(At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
They are only telling you about this because they were using it to root machines and somehow got busted for it and found another way to do it which is less obvious. Naturally they want you to think you are safe, that's their job. ;)
Next week there will be a followup article:
"The Department of Homeland Security has taken into custody the programmer who injected the security flaw in the commonly used X11 Linux server. The programmer is suspected of having ties to new-age terrorist groups. Officials state that a plot was in progress to compromise vital government computers via this security flaw. Despite the target being an open-source program, the flaw subtle enough that nobody would spot it, despite being very serious. The suspect will be tried on charges of terrorism, vandalism, and a violation of the Millenium act... "
This caught my attention:
"...using an automated code-scanning tool..."
In fact, I just heard a talk last Friday about some of our University's faculty's efforts to make code-verifying programs. You give the program what the code is supposed to do, run the program on your code, and the program tells you whether or not the code does what it's supposed to do. The group hopes to run their program on a 1 million line, production ready program in the near future.
If anyone's interested, a similar presentation is available at http://www.cs.utexas.edu/users/misra/HCSS.pdf.
http://lists.freedesktop.org/archives/xorg/2006-Ap ril/014874.html
should be applied next, otherwise the bug is still there
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
The better question that nobody has asked is this one... would Microsoft submit to this, and release their codebase to public scrutiny? They attack Open Source / Free Software as if we're the devil, but we've put a lot of work and heart into making things clean and clear. True, Linux / Opensource misses a few points that BSD's have traditionally followed more closely (being free to all) but this also allowed a wealth of magnificent code to be completely ripped off by people who then denigrate all forms of non closed source code (Microsoft for one, despite the fact that the entire world bases their TCP/IP stack on that developed by Berkeley, and all of M$'s TCP/IP tools seem based on or completely ripped off from the BSD groups.)
:)
But what do I know
" What luck for rulers that men do not think" - Adolf Hitler
they were aparently wrapped around Weapons of Mass Desctruction in Iraq
When did C have strong type checking?
It's normal for you to misuse stuff without casting. If you're lucky gcc might grumble about it.
That's the difference between closed source and open source I guess...
Critical vulnerability in X11, missing parens are to blame, report: "missing parens in code leaves X11 vulnerable, the problem is fixed."
--vs--
Critical vulnerability in Windows, missing parens are to blame (but that's under NDA), report: "the incompetent programmers of the Redmont monopolist did it again, your Windows is totally open to hackers due to a bad, bad vulnerability. While we're on this, let's discuss also how OSX and Linux are infinitely cooler than Windows will ever be, and how Windows users are clueless idiots."
Sure,
would not silently compile into something bad, but the following still would:Linux user since early January 1992.
so if I understand correctly, if I can set the suid-bit to another non-priviliged user I'll be able to pass this check?
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."
Shouldn't that quote be that if you write the code cleverly in the first place, you're too smart to debug it?
Don't take the above poster too seriously. He doesn't.
That is another and more general problem, namely implicit pointer to int cast.
The many implicit convertions have never been my favorite part of the language, and I try not to rely on them in the code I write.
...of this is: use a real programming language, in which comparing a function's name to an int is a syntactic error rather than a pointer operation.
The if block will be executed anyway, since the result of getuid() is either zero or non-zero.
A good programming language would catch that error: comparing a function address with 0 makes no sense, because the function address can never be 0. Referring to 'getuid' as a function pointer should be a mistake. The function pointer of 'getuid' should be '&getuid' (i.e. getting a reference to the function).
The above shows how broken C is (and C++ by that extend), and that the software problems the IT industry has are mostly due to inferior programming languages.
If there were no parenthesis, there would be no hole. With the new there is now a hole where there was none.
You shouldn't need to do a dist-update, upgrade should be fine - debian maintainers will almost ceratainly backport this if required.
Yeah, and do what?
If you can make a program setuid someone else, you have sufficient privledges to execute anything you want with their rights. It still won't get you root, because the process won't be running as root.
Its a good job X11 is open source software, otherwise this bug may have gone un-noticed.
Never rely on 0 being a reasonable value for pointers. Use NULL.
I've seen too many programs segfault on AMD64 just because some lazy programmer wrote "0" as a pointer value to save typing the three more characters required to type "NULL". "0" is a 32 bit integer which turns out to be NOT equal to "NULL", a 64 bit pointer.
Functions are constant pointers in C. After all, what is a function but an address that the program jumps to. In this respect they are similar to arrays.
e.g.
int a [20];
int f() {}
a is a pointer. f is a pointer.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
If anyone has access to your box and wants root you are in trouble anyway, unless you have some sort of encrypted root-filesystem...
I thought the size of all octets was 8 bits, and the size of a byte was between a number higher than about 6 and hopefully lower than 40. Historically speaking.
It's always been 8 bits, except during the energy crisis when pushing electrons around got a lil more expensive, they used 7 bits for a while. Measure the size of a 2x4 some time.
fnord.
Lets try that again...
I may be being slightly thick here, but isn't it checking that
EITHER
uid == 0 (the process was started by root)
OR
euid != 0 (the effective user id is not root)
Now, the euid!=0 check is presumably to check the program is not suid root, but, because it's an 'or', the check would also be passed if the program was not started by root and *not* suid root? Checking the euid!=0 doesn't tell me much - because it can be almost anything - unless we also check the uid and suid to give context.
If you understand the situation better and can see why the code is correct, then I'd genuinely appreciate an explanation of the above.
Cheers,
Justin.
You're only jealous cos the little penguins are talking to me.
didnt they have the worst gov security rating? yet they have time to dig into
outside projects.. on security no less?
missappropriation of time maybe?
We have seen that living things are too improbable and too beautifully "designed" to have come into existence by chance.
Since the
Um. OK. I've been watching too much adult swim. I'll admit it.
Signatures are a waste of bandwi (buffering...)
Live today, because you never know what tomorrow brings
...have known for years that the whole entirety of X11 is one huge gigantic gaping security hole anyways. That's why none of us with an IQ greater than our shoe size never run it on any hosts directly exposed to the public Internet.
In concept, there is a separate protocol and implementation of X. But the source has been available under a very permissive license since the very beginning. Because of this, the only thing I've ever seen that was reimplemented was the server (window server), everything else has just been compiled directly from the reference sources.
And even those window servers are compiled from sources derived from the reference sources, with patches.
Do you actually know of any implementations of X other than the two you mentioned? I tried to search for some and couldn't find any.
http://lkml.org/lkml/2005/8/20/95
Beta edition.
Copyright © 1996. Thomas W. Christopher
Quote:
Icon *can* be compiled, but especially these days there's hardly any need to do so.The PC hardware doesn't support proper framebuffer + display command lists...
You end up not being able to write a real driver.
X therefore needs direct access to the hardware registers.
On any reasonable I/O architecture you can have driver provide that level of access without direct hardware interface.
Sorry, I couldn't resist.
The thing is, if it's not root and not setuid root, _it can't do anything dangerous_. This code is something that should only be allowed if the user is running as root (not just setuid root, as, AFAIK, X is by default to let it access hardware) , and that's how it originally was. Recently, though, someone added the code to say that if it wasn't setuid root - in other words, if it can't do something harmful, if it's running with normal user privileges - it doesn't matter, let it try and execute the code anyway.
I don't know why you would run X with normal user privileges. I can't think of any such situations, but I'm not an X guru; perhaps it's related to the modularization of X.
If one of those entities wants to gain root access to your machine after it is confiscated, they would probably just boot it single user and change the root password.
Yes, and in 300+ comments, I wonder if anyone's mentioned that a good "hacker" "cracker" whatever you want to call him (security penetrator?) with a good hex editor, handmade if necessary could EASILLY break a system... at least with OpenSource the bugs CAN be found... and oftentimes people stumble upon them when they run a search for kicks (I should know, I found a bug in RedHat 5.2... back when I was in college, using redhat 5.2 and the only reason I found it was because I decided to test the actual software used so I could get some practice using debugger and code/event tracers.) It was awesome watching the drivers take hits in memory as I moved the mouse about, etc. Its a truly liberating experience, probably the same as when someone finally understands our universe... its just a step into a bigger world.
" What luck for rulers that men do not think" - Adolf Hitler
Ok, the more "correct" version is "win or draw under any conditions". However, if the game can continue forever, then that would be a valid "draw" condition, as neither side has lost. In chess, they have a three-repeat rule to avoid continuous cycles of this kind by just classing it as a stalemate.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Smashing explanation - thanks.
Justin.
You're only jealous cos the little penguins are talking to me.
It's great - a huge security flaw and it's treated as "whoops!" A typo, no less, treated as an oversight and no big deal.
Imagine what all you hippies would do if MS said something like this?
KF