Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux X.org Critical Security Flaw Silently Patched

Posted by CmdrTaco on from the pay-no-attention dept.

eldavojohn writes "On June 17th, the X.org team was notified by Invisible Things Lab of a critical security flaw (PDF) that affected both x86_32 and x86_64 platforms. The flaw deals with escalated privileges of a user process that has access to the X server. The founder of ITL said of the flaw, 'The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root (but again, it doesn't take advantage of any bug in the X server!). In other words: any GUI application (think e.g. sandboxed PDF viewer), if compromised (e.g. via malicious PDF document) can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system.' This has apparently been a security flaw since kernel 2.6 was released. From the article, 'On 13 August, Linus Torvalds committed an initial fix, but several patches were added afterward for various reasons. The problem has been addressed in versions 2.6.27.52, 2.6.32.19, 2.6.34.4 and 2.6.35.2 of the kernel.'"

3 of 259 comments (clear)

  1. Re:What I suggest to people by DarkKnightRadick · · Score: 1, Redundant

    You do realize that Mac is built on a FreeBSD kernel?

    --
    "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
  2. Re:Convenient by Lunix+Nutcase · · Score: 0, Redundant

    There have been plenty of instances where known non-patched privelege escalation exploits in Windows went unpatched by Microsoft for years. (One I'm thinking of in particular affected GDI).

    Your case might be more persuasive if you actually linked to them rather than a vague claim of "plenty of instances". If there were so many, you could link to at least a couple, no?

  3. Hmm interesting. by Beelzebud · · Score: 0, Redundant

    Let me just open up my PDF reader and see what thi