Slashdot Mirror

← Back to Stories (view on slashdot.org)

Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987

Posted by timothy on from the we-have-a-history dept.

An anonymous reader writes Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.

25 of 172 comments (clear)

  1. Wha?!?!!! by Anonymous Coward · · Score: 5, Funny

    It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!

    1. Re:Wha?!?!!! by Anonymous Coward · · Score: 4, Funny

      Because Xorg is beautifully programmed and easy to understand so any programmer can quickly contribute to it's code.

    2. Re:Wha?!?!!! by phantomfive · · Score: 4, Insightful

      It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!

      To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Wha?!?!!! by ArcadeMan · · Score: 2, Interesting

      To be blunt, it took over 26 years to find even with the source code and all the programmers on the planet who could to look at it.

      If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    4. Re:Wha?!?!!! by king+neckbeard · · Score: 4, Informative

      They apparently use code that's two decades old, as this bug was only recently fixed

      --
      This is my signature. There are many like it, but this one is mine.
    5. Re:Wha?!?!!! by Anonymous Coward · · Score: 2, Interesting

      To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

      The bugs could potentially be found no matter if the software was open or closed-source. There is no evidence that proves your statement, unless of course you happen to work for Xi Graphics (authors of the closed-source X windows server, a.k.a. Accelerated-X, which is what the free XFree86 was supposed to supercede) and have a story to share there.

      The point the OP was trying to make was that Linus's Law, specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes. The Wikipedia reference I cite goes into a bit more depth as to why this socially-propagated belief in the open-source world is unfounded and has been repeatedly proven false. The short of it: just because the source code is available and viewable does not mean that a person viewing it has the capability, familiarity, or time to invest in reverse-engineering it and finding flaws. Anecdotally, in my experience most open-source users can't understand the code of the applications they use: they're simply generic end-users. Open vs. closed has no real bearing when you consider that data point (i.e. having the source available to read/view != having the capability to understand said source).

      Please note my statement doesn't mean closed-source has a defined/distinct advantage over open-source. They both have their pros and cons. But this age-old belief that open-source is superior solely because "the code is out there" needs to stop. Ironically, that subsection of ESR's the Cathedral and the Bazaar may in fact be one of the most damaging things to the open-source movement ever written simply because of it's head-in-the-sand viewpoint; other subsections (e.g. "The Importance of Having Users") are much more justified.

      But hey, that's just my two cents as someone who's been in all of this since the early 90s, and I'm just one person. With one set of eyes. ;-)

    6. Re:Wha?!?!!! by petermgreen · · Score: 2

      I wouldn't be so sure about that.

      On the mac while "classic" mode is gone "carbon" is still there and was explicitly intended to allow porting of code from classic macos. I'd be surprised if there wasn't some code that had been written for classic macos still in there somewhere.

      Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    7. Re:Wha?!?!!! by Rei · · Score: 4, Insightful

      All million lines of it ;)

      Seriously, I'd really love to go in myself and fix the bug that's currently preventing me from using GLX, but I wouldn't even know where to begin. I think Xorg is seriously understaffed in terms of volunteers compared to the scale of the project - it looks like most bug reports don't get responses for months or years, if ever.

      --
      "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
    8. Re:Wha?!?!!! by phantomfive · · Score: 4, Insightful

      If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

      There are 300billion lines of COBOL still in production. And every time you transfer money through banks, your money passes through it. OSX has code from the 90s in it, and Windows has code from the 80s.

      Pretty near every bad software practice that you find in open source software is also found in closed source software.

      --
      "First they came for the slanderers and i said nothing."
    9. Re:Wha?!?!!! by Qzukk · · Score: 4, Funny

      How dare you question his credentials! He's worked for no less than TEN startups, and he's never seen code that's more than three months old before it gets sold off and the company shuts down. That's 10 samples, statistically significant compared to whatever silly anecdote you've got from working at some hidebound behemoth like SAP or IBM for a decade! These posers don't even count!

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    10. Re:Wha?!?!!! by Rei · · Score: 4, Interesting

      Just did... looks like my estimate of "a million lines" for Xorg was a bit off. It's "only" half a million lines of code (481739), plus 88k lines of comments and 87k blank lines, in 1476 files.

      --
      "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
    11. Re:Wha?!?!!! by macs4all · · Score: 2

      Heck even the images from the "Grab" program in the recent versions of OSX have the original Grab icon from NeXTSTEP [osxdaily.com]

      But now, it's just nostalgia. Like Clarus the DogCow.

    12. Re:Wha?!?!!! by dabadab · · Score: 2

      Windows 95 is long gone from modern Windows version.

      Actually that's not true, as demonstrated by the MS14-064 (it's a bug that affects Win8 and also Win95).

      As a sidenote, Win95 is not an ancestor of Windows8. Win8 is a member of the WinNT family, its lineage going back to the first version of Windows NT, which was curiously called Windows NT 3.1 (released in 1993).
      The other line of Windowses (the one going from Windows 1.0 to Windows ME) ran in parallel and the two families sometimes shared some code but that's all, Win8 does not come from Win95.

      --
      Real life is overrated.
    13. Re:Wha?!?!!! by metamatic · · Score: 3, Interesting

      Actually, OS X contains code and bugs that date back to the 1970s.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    14. Re:Wha?!?!!! by phantomfive · · Score: 4, Informative

      Why would a 16-bit value be called a "half-word"? It's always been a word and 32-bit has always been a double word. You're the one asking to use a new code with your half-word.

      I think you're drunk or something, you keep on saying stuff that could be easily figured out if you looked it up on Wikipedia.

      A 'word' is the natural unit of data on the CPU architecture (not the maximum). Thus on a 16 bit computer a WORD is 16 bits, but on a 32 bit computer it's 32 bits.

      Even a byte was not necessarily 8 bits before OS/360, it commonly was found as 7 bits, or even four bits.

      --
      "First they came for the slanderers and i said nothing."
    15. Re:Wha?!?!!! by Scoth · · Score: 2

      I am not a Windows developer, but I have been a long-time tinkerer and user. The 32-bit versions of Windows, even up to and including the previews of Windows 10, still include the same old NTVDM that provides support for 16-bit DOS and Windows programs. I've personally played around with running completely unmodified copies of MS-DOS Executive from Windows 2.x and 3.0, Program Manager, and various other ancient things with absolutely no trouble. This likely includes some very old code to allow this old stuff to run unmodified. There's been a bug or two in NTVDM that date back to the first versions of NT.

      As for early Win32, modern versions of Windows, including 64-bit versions, will still run the early Win32 demos that came with some of the earliest Windows NT 3.1 betas and pre-releases (once the executable format stabilized).

      Now whether this means there's actual literal old code still floating around, or just reimplementation of old libraries and APIs is anybody's guess. Based on some of the security flaws that have cropped up that date back to the earliest versions of Windows NT it certainly seems possible that there's some very old code floating around still. As a closed-source project, we'll likely never know. Though it'd be interesting to poke around in the leaked NT4/Win2k source from several years back and see if there's any clues. In general, rewriting tested, vetted code is a bad idea unless there's a good reason to rewrite it, so I'd bet there's plenty of old code kicking around in Windows in driver handling, kernel memory management, etc.

      OS X is somewhat different since it was more or less reimplemented from the ground up rather than evolutionary from existing Mac OSes - though it'd be interesting to see what might be left over from NeXT or BSD. I believe Carbon is still part of the OS, even if its deprecated; I'm even less of a Mac dev guy than I am a Windows dev, so I can't speak to the existence of old code in that.

  2. In before the trolls by Anonymous Coward · · Score: 5, Insightful

    Open Source does not guarantee that all of the bugs will be found, it merely guarantees that all of the bugs can be found.

  3. original story by Uecker · · Score: 2

    Original story:
    http://it.slashdot.org/story/1...
    CCC talk:
    http://media.ccc.de/browse/con...

  4. So what does it affect? by armanox · · Score: 2

    So, what exactly is impacted here? Are all X11 implementations affected, or just XFree86 and X.org? I'm seeing SGI sources listed as impacted, which would point to any X11 implentation that uses GLX being impacted (including Xsgi on my IRIX systems), and seeing the age of the bug, I would imagine it would be more proper to point to things based on XFree86 rather then X.org. People forget that X11 is bigger then X.org, and the X.org team wasn't always the only game in town (if they didn't have a monopoly we wouldn't be arguing about Wayland....).

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
  5. Re:so much for open source bug discovery being bet by jellomizer · · Score: 3, Insightful

    Zealots are deniers.
    The problem is there are enough vocal Zealots to proclaim that how a product is licensed some how makes it superior/inferior to an other.
    But in general the more confident you are in your products superiority, the more problems you ignore or don't bother looking for.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  6. Re:from TFA by crow · · Score: 2

    Doesn't prohibiting network connections to the X server rather defeat one of the major features of X?

    Granted, I think I usually am tunneling my X connections through ssh, so perhaps this doesn't apply as widely as it did a few years ago.

  7. Re:OpenBSD comes to the rescue by bluefoxlucid · · Score: 2

    They are, in fact. It's just that you can still gain access to your non-privileged X server, and have access as the user running X. You can then make it run any shellcode you want, or return to libc and run some shell commands (doesn't require writable/executable memory this way), thus allowing for injection of a local privilege escalation attack or some sort of information leak (e.g. concurrent brute forcing of passwords). In the most basic case, landing as the non-privileged X user allows you to inspect your own processes, i.e. the X server itself, and keylog and harvest passwords.

    --
    Support my political activism on Patreon.
  8. Re:Wha?!?!!! Yup, you betcha! by lgw · · Score: 4, Interesting

    MS has had a fully-supported "no GUI" server option since Server 2012, but has been possible to admin CLI-only, without 3rd part add-ins, since 2008 (though the GUI would still be running, if you don't provide remote access to it, it might as well not be), and with 3rd-prty add-ins since 2003.

    However, managing multiple Windows servers is more about group policy than logging into any servers, GUI, CLI, or carrier pigeon. I've worked with management systems for 1000s of Windows servers, and the only reason you'd ever log into a server is to recover if something went horribly with a new deployment, and you wanted to find out why (to debug your deployment - just recovering the server was automatic).

    --
    Socialism: a lie told by totalitarians and believed by fools.
  9. News at 11!!! by sl3xd · · Score: 4, Informative

    Anybody who's really looked at security around X11 has known for decades that it isn't that great.

    I even remember that as recently as a year ago, ATI's drivers specifically tell you to use "xhost +" to enable GPU compute jobs using ATI devices, which resulted in a lot of "LOL NOPE" in the HPC industry. (It's trivial to root a machine that has had "xhost +" executed inside an X11 session.)

    X11 having critical security holes should surprise no one. There's a reason internet-facing servers don't have X11, and it's not just because you don't need a GUI sucking up resources.

    On the other hand, I'm thoroughly grateful that somebody decided to do something about it.

    --
    -- Sometimes you have to turn the lights off in order to see.
  10. Re:Famous for the opposite... by Alomex · · Score: 2

    Windows 7 was the product release of the beta version otherwise known as Windows Vista.