Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

36 of 517 comments (clear)

  1. Related news by LiquidCoooled · · Score: 5, Funny

    In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.

    Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".

    --
    liqbase :: faster than paper
    1. Re:Related news by rbochan · · Score: 5, Funny

      "This message brought to you by AT&T"

      --
      ...Rob
      The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
    2. Re:Related news by x2A · · Score: 4, Funny

      oh yeah, it was also missing the opening one, but it sounds like a bigger danger if they only point out the closing one was missing (OMG, it was left open!) ;-)

      --
      The revolution will not be televised... but it will have a page on Wikipedia
    3. Re:Related news by dimator · · Score: 2, Funny

      Can they get on the missing socks situation now, or what?

      --
      python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
    4. Re:Related news by _Sprocket_ · · Score: 2, Funny

      Just because the NSA is listening to you, doesn't mean they're gonna make your decisions for you.

      (that's the job of Congress and industry trade groups)

    5. Re:Related news by Reverend528 · · Score: 5, Funny
      This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

      It drives me nuts too. That's why i use the -fsyntax-only option whenever I compile anything. It gets rid of the warnings so you know your code is safe!

      --
      Badass Resumes
    6. Re:Related news by SleepyHappyDoc · · Score: 3, Funny

      In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found

      No, no, that's a flaw in X10, not X11. That missing remote behaviour is an undocumented feature.

      --
      Stasis is death. Embrace change.
    7. Re:Related news by Isotopian · · Score: 2, Funny

      I didn't even know there was a 'sad' mod! Can we apply it to all the posters who make Yakov Smirnov Jokes?

      --

      It's poetry with a beat behind it! And guns! They're like beatniks with automatic weapons.

    8. Re:Related news by cgenman · · Score: 2, Funny

      You can have my decision-making encryption power when you pull it from my cold... dead... Hey! What are you doing? It was just a metaphor! A metaphor! Wait! Noooo!

      $#$#%... [signal lost]

      --
      The ______ Agenda
  2. Way to go, boys! by Junior+J.+Junior+III · · Score: 5, Funny

    Kudos to the heroes who painstakingly reinserted the missing parenthesis!

    --
    You see? You see? Your stupid minds! Stupid! Stupid!
  3. Any word on the fix? by FirstTimeCaller · · Score: 5, Funny

    A missing parentheses in a bit of code is to blame...the flaw has already been corrected.

    Any word on exactly what the fix was?

    --
    Wanted: witty unique signature. Must be willing to relocate.
    1. Re:Any word on the fix? by RLiegh · · Score: 3, Funny

      Would half a parenthesis be considered a word?

    2. Re:Any word on the fix? by RemovableBait · · Score: 5, Funny
      * <-- Joke
      * <-- Your Head
  4. Re:Here is the actual flaw: by eln · · Score: 2, Funny

    Shouldn't that be:

    (X11 sucks monkey cock

  5. Success by mytmouse · · Score: 3, Funny

    Finally Homeland security has done something noteworthy. I'm glad this benefits the X11 community.

    --
    the answers you get depend on the questions you ask.
  6. I wonder by kevin_conaway · · Score: 2, Funny

    I wonder if Miles Papazian discovered the flaw by reading the binary or by utilizing a machine-coded matrix?

    1. Re:I wonder by tcopeland · · Score: 3, Funny

      > I wonder if Miles Papazian discovered the flaw
      > by reading the binary or by utilizing a machine-coded matrix?

      I don't know, but I bet Chloe O'Brian is lurking nearby. And she's probably scowling.

      --
      The Army reading list
  7. Re:Only one? by Frosty+Piss · · Score: 4, Funny
    They uncovered only one flaw? Sheesh.

    Only one that they are telling us about...

    --
    If you want news from today, you have to come back tomorrow.
  8. watch out for their patches, though by Anonymous Coward · · Score: 5, Funny
    #define ) ); Install_Patriot_PhoneHome();
  9. Little known fact... by Junta · · Score: 4, Funny

    X11 is actually written entirely in LISP, and therefore there are too many parentheses for a mere mortal to ever get straight.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  10. Easy by mobby_6kl · · Score: 2, Funny

    If the compiler doesn't have a problem with unmatched parentheses, to prevent any such problems in the future, simply insert) closing) parentheses) instead) of) spaces).

  11. Re:Already Corrected? by Anonymous Coward · · Score: 5, Funny

    Maybe it's an X11 server.

  12. Not Quite by mattwarden · · Score: 5, Funny

    Actually, it was not a missing parenthesis, but a missing parenthetical.

    double r;
    r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
    if ( r < 0.5 ) gotroot(true);

    And the patched code:

    double r;
    r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
    if ( r < 0.5 ) gotroot(true); (just kidding!)
  13. Re:So does this mean? by teslar · · Score: 2, Funny

    Well, from TFA: "This was caused by something as seemingly harmless as a missing closing parenthesis"

    So no, it is indeed just a closing paranthesis that is missing. Why exactly that bloke considered this 'seemingly harmless', I don't know though... that is rather like saying "The car crash was caused by something as seemingly harmless as a severed brakeline."

  14. I just saw a story.. by ModernGeek · · Score: 2, Funny

    ..I just saw a story on digg (washes mouth out with pee to get bad taste out of my mouth), and noticed that the FAA just announced they will be running linux to track flights. Maybe there is a tie in-between this find and that announcement?

    --
    Sig: I stole this sig.
  15. Re:OpenBSD fixed on Jan. 21, 2000 by dietrollemdefender · · Score: 5, Funny
    If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future.

    That is one brilliant policy! Kudos to whomever implemented that!

    It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"

  16. Wow. Homeland Security.... by tomq123 · · Score: 5, Funny

    is getting close to being able to do what they portray on 24.

    Jack: I'm running out of time. I need that salelite image.
    Chloe: I opened a socket into a NASA server and retasking the satelite.
    Jack: Great, download the image to my PDA.
    Chloe: I need your IP address.
    Jack: 1.2.123.129
    Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
    Jack: I've got it. Thanks Chloe.
    Chloe: Whatever...

  17. Re:OpenBSD fixed on Jan. 21, 2000 by strabo · · Score: 5, Funny
    March 10 would be more correct

    More specifically, March 10th of 2006. Seven weeks ago.

    Best part was the CVS log:

    Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:
    proper geteuid calls because suse hires people who mistype things
  18. It all depends... by mistergin.net · · Score: 3, Funny

    Depends,

    Have you paid your Moses Fee?

    (let my packets go....) [as sung to 'let my people go']

    --
    Less Talk. More Stab.
  19. Re:Missing *pair* of parentheses - PASCAL? by Anonymous Coward · · Score: 1, Funny

    "Whereas Europeans generally pronounce my name the right way ('Ni-klows Wirt'), Americans invariably mangle it into 'Nick-les Worth'. This is to say that Europeans call me by name, but Americans call me by value."

    http://en.wikipedia.org/wiki/Niklaus_Wirth

    So was the X11 bug in European or American code?

  20. Re:Already Corrected? by Just+Some+Guy · · Score: 3, Funny
    Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?

    $ dig -t cname LinuxUpdate.linux.com
    LinuxUpdate.linux.com. 86400 IN CNAME ftp.us.debian.org.
    LinuxUpdate.linux.com. 86400 IN CNAME portsnap.freebsd.org.
    LinuxUpdate.linux.com. 86400 IN CNAME ftp.ubuntu.com.

    $ dig -t txt LinuxUpdate.linux.com
    LinuxUpdate.linux.com. 86400 IN TXT "Tonight, she comes."

    Yes.

    --
    Dewey, what part of this looks like authorities should be involved?
  21. Re:Another score for open source! by LegendLength · · Score: 2, Funny

    Microsoft runs these bug-checker-programs on their code all the time.

    Excluding Outlook Express I guess.

  22. Re:Another score for open source! by toadlife · · Score: 2, Funny

    "Excluding Outlook Express I guess."

    Perhaps it's part of their market effort to get people to uprade to Outlook.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  23. Re:Another score for open source! by sorak · · Score: 2, Funny
    The advantage of open source shines through once again! This couldn't have happened with MS Windows, that's for sure... without access to the source code, this bug couldn't have been discovered, let alone fixed so quickly.

    (And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)


    Yeah, but Windows is still safer, because the useful bugs are hidden in with all these other bugs. In fact, it's sometimes hard for a hacker to get to the exploit, because, first he runs into what I like to call "the blue screen OF FREEDOM!"
  24. Coming soon.... "Parenthesis Day" by renjipanicker · · Score: 2, Funny

    Starring Bruce Willis, of course, who assembles a crack team to go into the code and insert the missing punctuation before the world gets blown up.

  25. Re:OpenBSD fixed on Jan. 21, 2000 by zukakog · · Score: 2, Funny

    Then if I want to do my own debugging, I should only put half my effort into coding!