Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

15 of 517 comments (clear)

  1. Only one? by Anonymous Coward · · Score: 3, Interesting

    They uncovered only one flaw? Sheesh.

  2. So does this mean? by drpimp · · Score: 1, Interesting

    That the compilers have a flaw as well? You would think that the semantic rules would catch this and throw a compiler error for a missing parenthesis but maybe I am missing something.

    --
    -- Brought to you by Carl's JR
    1. Re:So does this mean? by Anthony+Liguori · · Score: 2, Interesting

      The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
      Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation)

      I think we can both agree Python is a higher level language. And guess what:

      import os

      if os.getuid() != 0 or os.geteuid = 0:

      is completely valid. It's not high level vs low level languages here that's at issue. It's static verses dynamic typing and more specifically, strict verses weak static typing. If 0 wasn't treated so specially in C (it's the only numeric literal that's directly comparable to a pointer) this wouldn't be an issue.

      Unfortunately, C++ made it even worse since the standard mandates that NULL is defined as:

      #define NULL 0

      Instead of at least:

      #define NULL (void *)0

  3. OS X? by nursegirl · · Score: 3, Interesting

    Any word on whether this vulnerability is a risk for those using x11 within osx? TFA mentioned that the X windowing system shipped with OS X without stating what level of risk exists.

  4. Re:Related news by PlusFiveTroll · · Score: 4, Interesting

    Should this be modded funny or sad?

  5. Missing the point..... by TheDukePatio · · Score: 5, Interesting
    I see a ton of comments mod'd Funny, but what I'm surprised folks haven't focused on yet is the fact that it was found in OSS. The reason they're able to find, report, and get it fixed in a week is the fact that it's OSS. It's understandable that the DoHS is going to want to do a security audit on things like this.

    I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.

    --
    To Alcohol! The cause of, and solution to, all of life's problems.
    1. Re:Missing the point..... by ipfwadm · · Score: 4, Interesting

      On the other hand, because its OSS now all of the machines that remain unpatched have an exploit that is not only known, but but publicized by the developer, with diffs showing *exactly* what line of code the error is on.

      While I hate to sound like all the other OSS apologists that have posted so far ("yeah there's an exploit, but think of how many we could find if we could run it on the Windows source!" and other such tripe that ignores the fact that a serious bug was found in OSS software), your argument is a bunch of crap. You're basically saying that exploits in closed-source software are unknown and unpublicized, which is ridiculous.

      As for your Apache example, it would be just as simple to see what version of IIS a machine is running and look through MS KB to find the known exploits against it. Or look at bugtraq. Or anywhere else on the Internet. Just because the source is a secret doesn't mean the details of the available exploits are too.

      Oh and knowing the line of source code on which that the error exists is entirely irrelevant to the discussion -- having that knowledge doesn't make using an exploit any easier or more difficult. It may assist in developing new exploits, but when attempting to use one that has been found, that knowledge is superfluous.

  6. Old news. by Homestar+Breadmaker · · Score: 2, Interesting

    This is from march, why is everyone freaking out now?

  7. Re:OpenBSD fixed on Jan. 21, 2000 by Nutria · · Score: 5, Interesting
    "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read.

    That reminds me of the Kernighan quote, which I heartily agree with:
    "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."


    --
    "I don't know, therefore Aliens" Wafflebox1
  8. Where was the warning? by The+Pim · · Score: 2, Interesting
    There are a number of interesting issues with this bug and how it's being reported.
    • Never mind that the bad code is valid C, it's insane that it didn't generate a warning. I hope GCC has the option, and security sensitive code should be built with as many warning enabled as possible.
    • Code that's conditional on "whether I'm root" is a hole waiting to open. Must better to have a separate wrapper that is setuid and accepts a constricted set of options, then calls the real program (which is not setuid).
    • Given that X is a network service, most commonly run on single-user machines, a local root vulnerability (while egregious) is hardly a "worst-case scenario".
    • This appears to be an effective use of government funds.
    --

    The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
  9. Mac OS X Tiger by themadplasterer · · Score: 3, Interesting

    Tiger shipped with (X11 1.1 - XFree86 4.4.0) and X11R6.9.0 and X11R7.0.0 are forked from that. So it could well affect Mac OS X. If it does it will be interesting to see how long it takes Apple to provide an update if at all, given that it's open source

    1. Re:Mac OS X Tiger by EMR · · Score: 2, Interesting

      Home land security is WAY behind on things OR eweek is way behind on things. This was fixed back in March and ONLY affects X.org 6.9 adn 7.0 so Mac OS X is unaffected.

      https://bugs.freedesktop.org/show_bug.cgi?id=6213

  10. Show me the source... by DusterBar · · Score: 2, Interesting
    While this is unfortunate that there was such a bug, there is something to be learned here, beyond the fact that any software can have such flaws:

    Homeland Security was able to do the code audit on X11.

    Maybe that really should be written as, because the source code was publicly available, Homeland Security was able to do this. How many of these types of faults exist in closed source software that no outside group had the chance to dig into like with X11 or OpenBSD or...

  11. Critique... by jd · · Score: 4, Interesting
    1. Knowing the line won't help you figure out the exploit
    2. Whether anyone tells you about a bug or not, you're always capable of scanning source - or even binaries - in search of unknown exploits
    3. You knowing about a bug doesn't alter the odds of "Them" knowing about a bug - it only alters the odds of you fixing it
    4. X11 bugs are rarely externally exploitable, as not many people run X sessions over the public internet and therefore those ports will be blocked at the corporate (or personal) firewall
    5. The mathematical model of conflict ("Game Theory") only has a solution (ie: win no matter what the opponent does) when both sides know absolutely everything, ergo the only way to establish a sane IT security policy is to assume the attacker knows all the defects and exploits that exist, whether they are published or not


    That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.


    (At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  12. Difference by suv4x4 · · Score: 2, Interesting

    That's the difference between closed source and open source I guess...

    Critical vulnerability in X11, missing parens are to blame, report: "missing parens in code leaves X11 vulnerable, the problem is fixed."

    --vs--

    Critical vulnerability in Windows, missing parens are to blame (but that's under NDA), report: "the incompetent programmers of the Redmont monopolist did it again, your Windows is totally open to hackers due to a bad, bad vulnerability. While we're on this, let's discuss also how OSX and Linux are infinitely cooler than Windows will ever be, and how Windows users are clueless idiots."