Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987

← Back to Stories (view on slashdot.org)

Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987

Posted by timothy on Tuesday December 9, 2014 @06:03AM from the we-have-a-history dept.

An anonymous reader writes Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.

12 of 172 comments (clear)

Min score:

Reason:

Sort:

Wha?!?!!! by Anonymous Coward · 2014-12-09 06:10 · Score: 5, Funny

It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!
1. Re:Wha?!?!!! by Anonymous Coward · 2014-12-09 06:15 · Score: 4, Funny
  
  Because Xorg is beautifully programmed and easy to understand so any programmer can quickly contribute to it's code.
2. Re:Wha?!?!!! by phantomfive · 2014-12-09 06:19 · Score: 4, Insightful
  
  It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!
  To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:Wha?!?!!! by king+neckbeard · 2014-12-09 06:45 · Score: 4, Informative
  
  They apparently use code that's two decades old, as this bug was only recently fixed
  
  --
  This is my signature. There are many like it, but this one is mine.
4. Re:Wha?!?!!! by Rei · 2014-12-09 07:09 · Score: 4, Insightful
  
  All million lines of it ;)
  Seriously, I'd really love to go in myself and fix the bug that's currently preventing me from using GLX, but I wouldn't even know where to begin. I think Xorg is seriously understaffed in terms of volunteers compared to the scale of the project - it looks like most bug reports don't get responses for months or years, if ever.
  
  --
  "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
5. Re:Wha?!?!!! by phantomfive · 2014-12-09 07:13 · Score: 4, Insightful
  
  If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.
  There are 300billion lines of COBOL still in production. And every time you transfer money through banks, your money passes through it. OSX has code from the 90s in it, and Windows has code from the 80s.
  
  Pretty near every bad software practice that you find in open source software is also found in closed source software.
  
  --
  "First they came for the slanderers and i said nothing."
6. Re:Wha?!?!!! by Qzukk · 2014-12-09 07:16 · Score: 4, Funny
  
  How dare you question his credentials! He's worked for no less than TEN startups, and he's never seen code that's more than three months old before it gets sold off and the company shuts down. That's 10 samples, statistically significant compared to whatever silly anecdote you've got from working at some hidebound behemoth like SAP or IBM for a decade! These posers don't even count!
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
7. Re:Wha?!?!!! by Rei · 2014-12-09 07:40 · Score: 4, Interesting
  
  Just did... looks like my estimate of "a million lines" for Xorg was a bit off. It's "only" half a million lines of code (481739), plus 88k lines of comments and 87k blank lines, in 1476 files.
  
  --
  "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
8. Re:Wha?!?!!! by phantomfive · 2014-12-09 09:52 · Score: 4, Informative
  
  Why would a 16-bit value be called a "half-word"? It's always been a word and 32-bit has always been a double word. You're the one asking to use a new code with your half-word.
  I think you're drunk or something, you keep on saying stuff that could be easily figured out if you looked it up on Wikipedia.
  
  A 'word' is the natural unit of data on the CPU architecture (not the maximum). Thus on a 16 bit computer a WORD is 16 bits, but on a 32 bit computer it's 32 bits.
  
  Even a byte was not necessarily 8 bits before OS/360, it commonly was found as 7 bits, or even four bits.
  
  --
  "First they came for the slanderers and i said nothing."
In before the trolls by Anonymous Coward · 2014-12-09 06:18 · Score: 5, Insightful

Open Source does not guarantee that all of the bugs will be found, it merely guarantees that all of the bugs can be found.
Re:Wha?!?!!! Yup, you betcha! by lgw · 2014-12-09 07:40 · Score: 4, Interesting

MS has had a fully-supported "no GUI" server option since Server 2012, but has been possible to admin CLI-only, without 3rd part add-ins, since 2008 (though the GUI would still be running, if you don't provide remote access to it, it might as well not be), and with 3rd-prty add-ins since 2003.
However, managing multiple Windows servers is more about group policy than logging into any servers, GUI, CLI, or carrier pigeon. I've worked with management systems for 1000s of Windows servers, and the only reason you'd ever log into a server is to recover if something went horribly with a new deployment, and you wanted to find out why (to debug your deployment - just recovering the server was automatic).

--
Socialism: a lie told by totalitarians and believed by fools.
News at 11!!! by sl3xd · 2014-12-09 07:46 · Score: 4, Informative

Anybody who's really looked at security around X11 has known for decades that it isn't that great.
I even remember that as recently as a year ago, ATI's drivers specifically tell you to use "xhost +" to enable GPU compute jobs using ATI devices, which resulted in a lot of "LOL NOPE" in the HPC industry. (It's trivial to root a machine that has had "xhost +" executed inside an X11 session.)
X11 having critical security holes should surprise no one. There's a reason internet-facing servers don't have X11, and it's not just because you don't need a GUI sucking up resources.
On the other hand, I'm thoroughly grateful that somebody decided to do something about it.

--
-- Sometimes you have to turn the lights off in order to see.