Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

9 of 517 comments (clear)

  1. OpenBSD fixed on Jan. 21, 2000 by Anonymous Coward · · Score: 4, Informative

    Check the CVS server. OpenBSD 0wns again!

    1. Re:OpenBSD fixed on Jan. 21, 2000 by LurkerXXX · · Score: 5, Informative

      OpenBSD fixes 'security holes' all the time, without even knowing it. If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future. Most of the time when they fix a 'hole', they never actually spotted the hole. They were just cleaning up messy looking code. A few years later (like in this case) it will often turn out that there was a security hole hidden in the mess.

      FYI, they do often send the cleaned version back to the codes maintainers, but they can't force them to use the re-arranged code, or port it to other systems. Sorry.

  2. Re:Any word on the fix? by fryguybob · · Score: 5, Informative

    it was a missing pair of parentheses:

    http://xorg.freedesktop.org/releases/X11R7.0/patch es/xorg-server-1.0.1-geteuid.diff

    http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html

  3. The compiler just does what you ask. by EmbeddedJanitor · · Score: 4, Informative

    if you said a + b * c but you really wanted (a + b) * c the compiler won't bleat.

    --
    Engineering is the art of compromise.
  4. Re:Related news by mattwarden · · Score: 5, Informative

    You're misinterpreting what the problem was. It was a change from this:

    if (getuid() == 0 || geteuid != 0)

    to this:

    if (getuid() == 0 || geteuid() != 0)

  5. Missing *pair* of parentheses by Chirs · · Score: 4, Informative

    The fix was posted before, but the problem was that someone used "geteuid" rather than "geteuid()".

    This results in making use of the function address rather than the return value of the function, which could cause difficulties.

  6. Re:OS X? by Carnildo · · Score: 4, Informative

    OSX ships XFree86 4.3.0, which is not vulnerable.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  7. UIDs by r00t · · Score: 5, Informative

    The effective UID (euid) is changed when you run a setuid app, while the real UID (uid in this case, or ruid) is not.

    The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.

    There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.

  8. Re:This is not a remote root vunerability by acoopersmith · · Score: 3, Informative

    The exploit mentioned in this article cannot be exploited by a user who isn't logged into your system - you have to be able to run the Xorg command with certain options. See X.Org's advisory at http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html