Forgot your password?
typodupeerror

Homeland Security Uncovers Critical Flaw in X11 517

Posted by Zonk
from the nice-catch dept.
Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.
This discussion has been archived. No new comments can be posted.

Homeland Security Uncovers Critical Flaw in X11

Comments Filter:
  • by Anonymous Coward on Tuesday May 02, 2006 @06:46PM (#15249746)
    Check the CVS server. OpenBSD 0wns again!
    • If that's true, it's nice they saw fit to kick back a patch.
      • by LurkerXXX (667952) on Tuesday May 02, 2006 @07:19PM (#15249987)
        OpenBSD fixes 'security holes' all the time, without even knowing it. If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future. Most of the time when they fix a 'hole', they never actually spotted the hole. They were just cleaning up messy looking code. A few years later (like in this case) it will often turn out that there was a security hole hidden in the mess.

        FYI, they do often send the cleaned version back to the codes maintainers, but they can't force them to use the re-arranged code, or port it to other systems. Sorry.
        • by dietrollemdefender (970664) on Tuesday May 02, 2006 @07:59PM (#15250249)
          If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future.

          That is one brilliant policy! Kudos to whomever implemented that!

          It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"

          • by Nutria (679911) on Tuesday May 02, 2006 @08:50PM (#15250499)
            "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read.

            That reminds me of the Kernighan quote, which I heartily agree with:
            "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."


  • by LiquidCoooled (634315) on Tuesday May 02, 2006 @06:46PM (#15249748) Homepage Journal
    In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.

    Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".
  • Only one? (Score:3, Interesting)

    by Anonymous Coward on Tuesday May 02, 2006 @06:47PM (#15249756)
    They uncovered only one flaw? Sheesh.
  • by Junior J. Junior III (192702) on Tuesday May 02, 2006 @06:48PM (#15249761) Homepage
    Kudos to the heroes who painstakingly reinserted the missing parenthesis!
  • by FirstTimeCaller (521493) on Tuesday May 02, 2006 @06:48PM (#15249765)

    A missing parentheses in a bit of code is to blame...the flaw has already been corrected.

    Any word on exactly what the fix was?

  • Success (Score:3, Funny)

    by mytmouse (923997) on Tuesday May 02, 2006 @06:52PM (#15249790) Homepage
    Finally Homeland security has done something noteworthy. I'm glad this benefits the X11 community.
  • I wonder (Score:3, Funny)

    by kevin_conaway (585204) on Tuesday May 02, 2006 @06:53PM (#15249793) Homepage
    I wonder if Miles Papazian discovered the flaw by reading the binary or by utilizing a machine-coded matrix?
  • by Anonymous Coward on Tuesday May 02, 2006 @06:58PM (#15249837)
    #define ) ); Install_Patriot_PhoneHome();
  • OS X? (Score:4, Interesting)

    by nursegirl (914509) on Tuesday May 02, 2006 @06:59PM (#15249843) Journal
    Any word on whether this vulnerability is a risk for those using x11 within osx? TFA mentioned that the X windowing system shipped with OS X without stating what level of risk exists.
  • Easy (Score:3, Funny)

    by mobby_6kl (668092) on Tuesday May 02, 2006 @07:00PM (#15249848)
    If the compiler doesn't have a problem with unmatched parentheses, to prevent any such problems in the future, simply insert) closing) parentheses) instead) of) spaces).
  • Advisory (Score:2, Insightful)

    by Anonymous Coward
    If you're wondering, here is the relevant SUSE security advisory from 21.3 - http://www.novell.com/linux/security/advisories/20 06_16_xorgx11server.html [novell.com]
  • by RLiegh (247921) *
    I'm using debian 3.1. Is this something I'm going to have to run dist-update for? (the 'crap' is because I'd have to update over dialup).
  • Not Quite (Score:5, Funny)

    by mattwarden (699984) on Tuesday May 02, 2006 @07:15PM (#15249955) Homepage

    Actually, it was not a missing parenthesis, but a missing parenthetical.

    double r;
    r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
    if ( r < 0.5 ) gotroot(true);

    And the patched code:

    double r;
    r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
    if ( r < 0.5 ) gotroot(true); (just kidding!)
  • by Chirs (87576) on Tuesday May 02, 2006 @07:23PM (#15250018)
    The fix was posted before, but the problem was that someone used "geteuid" rather than "geteuid()".

    This results in making use of the function address rather than the return value of the function, which could cause difficulties.
  • by Technician (215283) on Tuesday May 02, 2006 @07:25PM (#15250033)
    Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)

  • by TheDukePatio (621176) on Tuesday May 02, 2006 @07:38PM (#15250126)
    I see a ton of comments mod'd Funny, but what I'm surprised folks haven't focused on yet is the fact that it was found in OSS. The reason they're able to find, report, and get it fixed in a week is the fact that it's OSS. It's understandable that the DoHS is going to want to do a security audit on things like this.

    I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.

  • by tomq123 (194265) on Tuesday May 02, 2006 @08:00PM (#15250256)
    is getting close to being able to do what they portray on 24.

    Jack: I'm running out of time. I need that salelite image.
    Chloe: I opened a socket into a NASA server and retasking the satelite.
    Jack: Great, download the image to my PDA.
    Chloe: I need your IP address.
    Jack: 1.2.123.129
    Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
    Jack: I've got it. Thanks Chloe.
    Chloe: Whatever...
  • by The Pim (140414) on Tuesday May 02, 2006 @08:51PM (#15250504)
    There are a number of interesting issues with this bug and how it's being reported.
    • Never mind that the bad code is valid C, it's insane that it didn't generate a warning. I hope GCC has the option, and security sensitive code should be built with as many warning enabled as possible.
    • Code that's conditional on "whether I'm root" is a hole waiting to open. Must better to have a separate wrapper that is setuid and accepts a constricted set of options, then calls the real program (which is not setuid).
    • Given that X is a network service, most commonly run on single-user machines, a local root vulnerability (while egregious) is hardly a "worst-case scenario".
    • This appears to be an effective use of government funds.
  • by penguin-collective (932038) on Tuesday May 02, 2006 @09:05PM (#15250570)
    There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.

    It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
    • seriously? (Score:3, Insightful)

      by YesIAmAScript (886271)
      In concept, there is a separate protocol and implementation of X. But the source has been available under a very permissive license since the very beginning. Because of this, the only thing I've ever seen that was reimplemented was the server (window server), everything else has just been compiled directly from the reference sources.

      And even those window servers are compiled from sources derived from the reference sources, with patches.

      Do you actually know of any implementations of X other than the two you
    • Uhh... coming from someone with 5 years of experience in the X Window System, your statement that X11 refers to a protocol and not a codebase is overly pedantic and not truly reflective of reality.

      The name 'X11' effectively refers to a code base because the 'sample implementation', which was extended for specific hardware by XFree86 and X.org, is the basis of almost all X Servers in existance. For example, Sun and HP both ship their own X Servers, but the base upon which they implemented their device-depen
  • Mac OS X Tiger (Score:3, Interesting)

    by themadplasterer (931983) on Tuesday May 02, 2006 @09:07PM (#15250581)
    Tiger shipped with (X11 1.1 - XFree86 4.4.0) and X11R6.9.0 and X11R7.0.0 are forked from that. So it could well affect Mac OS X. If it does it will be interesting to see how long it takes Apple to provide an update if at all, given that it's open source
  • Difference (Score:3, Interesting)

    by suv4x4 (956391) on Wednesday May 03, 2006 @03:30AM (#15251780)
    That's the difference between closed source and open source I guess...

    Critical vulnerability in X11, missing parens are to blame, report: "missing parens in code leaves X11 vulnerable, the problem is fixed."

    --vs--

    Critical vulnerability in Windows, missing parens are to blame (but that's under NDA), report: "the incompetent programmers of the Redmont monopolist did it again, your Windows is totally open to hackers due to a bad, bad vulnerability. While we're on this, let's discuss also how OSX and Linux are infinitely cooler than Windows will ever be, and how Windows users are clueless idiots."

"If that makes any sense to you, you have a big problem." -- C. Durance, Computer Science 234

Working...