Slashdot Mirror

← Back to Stories (view on slashdot.org)

23-Year-Old X11 Server Security Vulnerability Discovered

Posted by Unknown on from the stack-smashing-for-fun-and-profit dept.

An anonymous reader writes "The recent report of X11/X.Org security in bad shape rings more truth today. The X.Org Foundation announced today that they've found a X11 security issue that dates back to 1991. The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility." There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.

10 of 213 comments (clear)

  1. Many eyes... by Anonymous Coward · · Score: 5, Insightful

    ...looking elsewhere.

    1. Re:Many eyes... by i+kan+reed · · Score: 2, Insightful

      The real trick of the "With enough eyes all bugs are shallow" is that the function for "enough eyes" is exponential with respect to lines of code, and open source projects don't actually hit it.

    2. Re:Many eyes... by grub · · Score: 4, Insightful

      "Many eyes" is bogus, "the right eyes" is more appropriate.

      --
      Trolling is a art,
    3. Re:Many eyes... by hawkinspeter · · Score: 4, Insightful

      I'd recommend running the same tool (cppcheck) on the Windows source code before trying to be ironic.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    4. Re:Many eyes... by i+kan+reed · · Score: 4, Insightful

      It should include bogus fonts with randomized data to test for crashes, data validation, and the like, yes.

  2. Re:Privilege escalation is to the server credentia by i+kan+reed · · Score: 4, Insightful

    Root isn't the only kind of vulnerability. Seizing control of peoples' UIs is a pretty big deal(especially as far as phishing or keylogging goes).

  3. Re:scary by Anonymous Coward · · Score: 3, Insightful

    Given that you need to be using obsolete 90s bitmap fonts for this to be an issue, and that X11/X.org is never run as root, I'm not sure that "scary" is the word for this (there's a reason it hasn't come up before in the 23 years since it was introduced).

    Nonetheless, I'll be upgrading my X.org package just for thoroughness.

  4. Re:scary by Anonymous Coward · · Score: 0, Insightful

    Hasn't come up before? The Snowden docs suggest the NSA has been using this (and/or other X bugs) for years.

  5. Re:scary by buchner.johannes · · Score: 5, Insightful

    Given that you need to be using obsolete 90s bitmap fonts for this to be an issue, and that X11/X.org is never run as root, I'm not sure that "scary" is the word for this (there's a reason it hasn't come up before in the 23 years since it was introduced).

    Correct in principle, except for two remarks:

    • X runs as root, and has always. Just like getty.
    • If you craft a new bitmap font, running "xset fp+" as a user has the potential to gain you root privileges.

    So yes, not "scary". Just a critical security bug.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  6. Re:scary by PPH · · Score: 5, Insightful

    Right. And this is why its so important to have the source code available. Some argue, "Who actually looks at this stuff?" Well, here's an example of someone who did. Not in the classical sense of some aspie code geek reading it by hand. But just feed it to some automated tools and see what pops out.

    --
    Have gnu, will travel.