Homeland Security Uncovers Critical Flaw in X11 517
Amy's Robot writes "An open-source security audit program funded by the U.S. Department of
Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.
Already Corrected? (Score:1, Insightful)
Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?
Oh sure, I'm trolling - but the point is this ISN'T updated on machines around the world. It's updated on a few machines that HAVE some sort of auto-update service (of which many required a fee with your "enterprise service license") and it may or may not be updated when you install a new machine.
I know *MY* servers aren't updated...yet.
Re:Already Corrected? (Score:5, Insightful)
Advisory (Score:2, Insightful)
Re:Already Corrected? (Score:4, Insightful)
Re:Related news (Score:4, Insightful)
Re:So does this mean? (Score:5, Insightful)
I had a quick look on Coverity's website and this appears to be the relevant line of code:
- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)
In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.
The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.
The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).
Re:Sometimes gentoo is a pain. (Score:5, Insightful)
Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.
It took some digging to find the actual advisory:
http://lists.freedesktop.org/archives/xorg/2006-M
Re:Already Corrected? (Score:2, Insightful)
That's gonna ruin someone's LTS system.
TWW
This is not a remote root vunerability (Score:5, Insightful)
Re:Related news (Score:3, Insightful)
Re:Related news (Score:3, Insightful)
I think you owe the GP an apology.
Another score for open source! (Score:3, Insightful)
(And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)
Re:This is not a remote root vunerability (Score:3, Insightful)
AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.
I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.
Re:Related news (Score:5, Insightful)
You're misinterpreting what the problem was. It was a change from this:
if (getuid() == 0 || geteuid != 0)
to this:
if (getuid() == 0 || geteuid() != 0)
This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.
(And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)
Re:Already Corrected? (Score:3, Insightful)
the usual confusion (Score:5, Insightful)
It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
Re:Related news (Score:3, Insightful)
I don't understand the intention of the fixed code (Score:2, Insightful)
Re:I don't understand the intention of the fixed c (Score:4, Insightful)
Re:OpenBSD fixed on Jan. 21, 2000 (Score:2, Insightful)
Incidentally, this also confirms most non-BSDers' opinion of Theo.
Re:Related news (Score:1, Insightful)
Not even considering the bug, that's some pretty horrific coding. Is all of X written this poorly?
Agree with the sentiment, but.... (Score:3, Insightful)
The obvious solution is X not as root, so the worst you can do is screw around with the devices X really needs access to (screw around with the graphics, and local input devices, but an administrator can still ssh and have an intact, secure system in the ways that matter)
Re:OpenBSD fixed on Jan. 21, 2000 (Score:3, Insightful)
Re:OpenBSD fixed on Jan. 21, 2000 (Score:5, Insightful)
Funny, and almost right.
Put all your brains, but half of your cleverness into coding.
IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.
I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.
Re:OpenBSD fixed on Jan. 21, 2000 (Score:3, Insightful)
And the collorary to that: If you are (trying to be) clever, leave comments about what you're doing. Whoever might have to review/fix your code will greatly appriciate it. Remember, that person might be YOU. While I still try to be clever a little too often, it makes it incredibly much easier to fix.
seriously? (Score:3, Insightful)
And even those window servers are compiled from sources derived from the reference sources, with patches.
Do you actually know of any implementations of X other than the two you mentioned? I tried to search for some and couldn't find any.
Re:the usual confusion (Score:3, Insightful)
The name 'X11' effectively refers to a code base because the 'sample implementation', which was extended for specific hardware by XFree86 and X.org, is the basis of almost all X Servers in existance. For example, Sun and HP both ship their own X Servers, but the base upon which they implemented their device-dependent code for specific video cards and input devices. Free X servers for Windows and Mac OS X both use the sample implementation (X.org to be specific). Commercial X Servers for Windows all seem to use the sample implementation as well. The only non-sample implementation X Server that I know of is WeirdX, an X Server written entirely in Java, which implies that everything would have to have been rewritten.
Harold