Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

11 of 517 comments (clear)

  1. Re:Already Corrected? by Vyvyan+Basterd · · Score: 5, Insightful

    Why are you running X11 on your servers?

  2. Re:Already Corrected? by wobblie · · Score: 3, Insightful

    uh, you display it somewhere else.

  3. Re:Related news by Bush+Pig · · Score: 3, Insightful

    What I'd really like to know is how come the code even compiled if it was missing a closing parenthesis somewhere. None of mine ever does in that circumstance.

    --
    What a long, strange trip it's been.
  4. Re:So does this mean? by AtomicX · · Score: 5, Insightful

    In most cases the compiler will catch errors caused by typos and omissions, but it is perfectly possible to write code containing typos or missing characters which are still valid.

    I had a quick look on Coverity's website and this appears to be the relevant line of code:

    - if (getuid() == 0 || geteuid != 0)
    + if (getuid() == 0 || geteuid() != 0)

    In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.

    The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.

    The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
    Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).

  5. Re:Sometimes gentoo is a pain. by Anonymous Coward · · Score: 5, Insightful

    The impression I get is that it shouldn't be easily exploitable. By default, Gentoo (and any sensible distro) configures X11 to disable remote connections. Also, you should have some sort of firewall blocking the relevant ports anyway. If it is really exploitable, the attacker would probably need access to the machine anyway (at which point, you're largely already screwed).

    Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.

    It took some digging to find the actual advisory:

    http://lists.freedesktop.org/archives/xorg/2006-Ma y/015136.html

  6. This is not a remote root vunerability by Technician · · Score: 4, Insightful

    Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)

    --
    The truth shall set you free!
  7. Re:Related news by prockcore · · Score: 4, Insightful


    You're misinterpreting what the problem was. It was a change from this:

    if (getuid() == 0 || geteuid != 0)

    to this:

    if (getuid() == 0 || geteuid() != 0)


    This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

    (And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)

  8. the usual confusion by penguin-collective · · Score: 5, Insightful

    There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.

    It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.

  9. Re:Related news by Anpheus · · Score: 3, Insightful

    They can only make your decisions for you when you use an unencrypted method of communication.

  10. Re:I don't understand the intention of the fixed c by acoopersmith · · Score: 3, Insightful

    It's in code that allows you to do things like load code modules from other paths, so it's only allowed if you're already root or not running setuid-root. (It should probably check that you're not running setuid at all, but there's no real point having Xorg setuid to anyone but root, so no one has added that check.)

  11. Re:OpenBSD fixed on Jan. 21, 2000 by Nutria · · Score: 5, Insightful

    Then if I want to do my own debugging, I should only put half my effort into coding!

    Funny, and almost right.

    Put all your brains, but half of your cleverness into coding.

    IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

    I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.

    --
    "I don't know, therefore Aliens" Wafflebox1