Slashdot Mirror


Homeland Security Uncovers Critical Flaw in X11

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

21 of 517 comments (clear)

  1. Related news by LiquidCoooled · · Score: 5, Funny

    In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.

    Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".

    --
    liqbase :: faster than paper
    1. Re:Related news by rbochan · · Score: 5, Funny

      "This message brought to you by AT&T"

      --
      ...Rob
      The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
    2. Re:Related news by x2A · · Score: 4, Funny

      oh yeah, it was also missing the opening one, but it sounds like a bigger danger if they only point out the closing one was missing (OMG, it was left open!) ;-)

      --
      The revolution will not be televised... but it will have a page on Wikipedia
    3. Re:Related news by Reverend528 · · Score: 5, Funny
      This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

      It drives me nuts too. That's why i use the -fsyntax-only option whenever I compile anything. It gets rid of the warnings so you know your code is safe!

    4. Re:Related news by SleepyHappyDoc · · Score: 3, Funny

      In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found

      No, no, that's a flaw in X10, not X11. That missing remote behaviour is an undocumented feature.

      --
      Stasis is death. Embrace change.
  2. Way to go, boys! by Junior+J.+Junior+III · · Score: 5, Funny

    Kudos to the heroes who painstakingly reinserted the missing parenthesis!

    --
    You see? You see? Your stupid minds! Stupid! Stupid!
  3. Any word on the fix? by FirstTimeCaller · · Score: 5, Funny

    A missing parentheses in a bit of code is to blame...the flaw has already been corrected.

    Any word on exactly what the fix was?

    --
    Wanted: witty unique signature. Must be willing to relocate.
    1. Re:Any word on the fix? by RLiegh · · Score: 3, Funny

      Would half a parenthesis be considered a word?

    2. Re:Any word on the fix? by RemovableBait · · Score: 5, Funny
      * <-- Joke
      * <-- Your Head
  4. Success by mytmouse · · Score: 3, Funny

    Finally Homeland security has done something noteworthy. I'm glad this benefits the X11 community.

    --
    the answers you get depend on the questions you ask.
  5. Re:Only one? by Frosty+Piss · · Score: 4, Funny
    They uncovered only one flaw? Sheesh.

    Only one that they are telling us about...

    --
    If you want news from today, you have to come back tomorrow.
  6. watch out for their patches, though by Anonymous Coward · · Score: 5, Funny
    #define ) ); Install_Patriot_PhoneHome();
  7. Little known fact... by Junta · · Score: 4, Funny

    X11 is actually written entirely in LISP, and therefore there are too many parentheses for a mere mortal to ever get straight.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  8. Re:I wonder by tcopeland · · Score: 3, Funny

    > I wonder if Miles Papazian discovered the flaw
    > by reading the binary or by utilizing a machine-coded matrix?

    I don't know, but I bet Chloe O'Brian is lurking nearby. And she's probably scowling.

  9. Re:Already Corrected? by Anonymous Coward · · Score: 5, Funny

    Maybe it's an X11 server.

  10. Not Quite by mattwarden · · Score: 5, Funny

    Actually, it was not a missing parenthesis, but a missing parenthetical.

    double r;
    r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
    if ( r < 0.5 ) gotroot(true);

    And the patched code:

    double r;
    r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
    if ( r < 0.5 ) gotroot(true); (just kidding!)
  11. Re:OpenBSD fixed on Jan. 21, 2000 by dietrollemdefender · · Score: 5, Funny
    If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future.

    That is one brilliant policy! Kudos to whomever implemented that!

    It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"

  12. Wow. Homeland Security.... by tomq123 · · Score: 5, Funny

    is getting close to being able to do what they portray on 24.

    Jack: I'm running out of time. I need that salelite image.
    Chloe: I opened a socket into a NASA server and retasking the satelite.
    Jack: Great, download the image to my PDA.
    Chloe: I need your IP address.
    Jack: 1.2.123.129
    Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
    Jack: I've got it. Thanks Chloe.
    Chloe: Whatever...

  13. Re:OpenBSD fixed on Jan. 21, 2000 by strabo · · Score: 5, Funny
    March 10 would be more correct

    More specifically, March 10th of 2006. Seven weeks ago.

    Best part was the CVS log:

    Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:
    proper geteuid calls because suse hires people who mistype things
  14. It all depends... by mistergin.net · · Score: 3, Funny

    Depends,

    Have you paid your Moses Fee?

    (let my packets go....) [as sung to 'let my people go']

    --
    Less Talk. More Stab.
  15. Re:Already Corrected? by Just+Some+Guy · · Score: 3, Funny
    Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?

    $ dig -t cname LinuxUpdate.linux.com
    LinuxUpdate.linux.com. 86400 IN CNAME ftp.us.debian.org.
    LinuxUpdate.linux.com. 86400 IN CNAME portsnap.freebsd.org.
    LinuxUpdate.linux.com. 86400 IN CNAME ftp.ubuntu.com.

    $ dig -t txt LinuxUpdate.linux.com
    LinuxUpdate.linux.com. 86400 IN TXT "Tonight, she comes."

    Yes.

    --
    Dewey, what part of this looks like authorities should be involved?