{"id":176,"date":"2006-05-04T01:50:43","date_gmt":"2006-05-04T01:50:43","guid":{"rendered":"https:\/\/www.darknet.org.uk\/2006\/05\/homeland-security-uncovers-critical-flaw-in-x11\/"},"modified":"2010-07-21T11:31:43","modified_gmt":"2010-07-21T10:31:43","slug":"homeland-security-uncovers-critical-flaw-in-x11","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2006\/05\/homeland-security-uncovers-critical-flaw-in-x11\/","title":{"rendered":"Homeland Security Uncovers Critical Flaw in X11"},"content":{"rendered":"
<\/p>\n
An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool.<\/p>\n
The flaw has been fixed.<\/p>\n
It was a change from this:<\/p>\n
to this:<\/p>\n The best part was the CVS comment:<\/p>\n Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:<\/em> From the article:<\/p>\n Coverity, the San Franciso-based company managing the project under a $1.25 million grant, described the flaw as the “biggest security vulnerability” found in the X Window System code since 2000.<\/p>\n The X Window System, also called X11 or X, provides the toolkit and protocol to build GUIs for Unix and Unix-like operating systems. It is used to provide windowing for bit-map displays. <\/p><\/blockquote>\nif (getuid() == 0 || geteuid != 0)<\/code><\/p>\n
if (getuid() == 0 || geteuid() != 0) <\/code><\/p>\n
\nproper geteuid calls because suse hires people who mistype things<\/p><\/blockquote>\n