Homeland Security Uncovers Critical Flaw in X11

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

OpenBSD fixed on Jan. 21, 2000

[Anonymous Coward]

Check the CVS server. OpenBSD 0wns again!

Re:OpenBSD fixed on Jan. 21, 2000

[belg4mit]

If that's true, it's nice they saw fit to kick back a patch.

Re:OpenBSD fixed on Jan. 21, 2000

[LurkerXXX]

OpenBSD fixes 'security holes' all the time, without even knowing it. If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future. Most of the time when they fix a 'hole', they never actually spotted the hole. They were just cleaning up messy looking code. A few years later (like in this case) it will often turn out that there was a security hole hidden in the mess.

FYI, they do often send the cleaned version back to the codes maintainers, but they can't force them to use the re-arranged code, or port it to other systems. Sorry.

Re:OpenBSD fixed on Jan. 21, 2000

[dietrollemdefender]

If code looks 'dirty' (hard to read), they will often rewrite it so that it's easier to audit for bugs in the future.

That is one brilliant policy! Kudos to whomever implemented that!

It reminds of an incedent about 12 years ago. A bunch of us entry level programmers were sitting around and this one guy pipes up and says "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read. I just shook my head and said, "If there's a bug in that code, and I get assigned to it, I'm coming for you!"

Re:OpenBSD fixed on Jan. 21, 2000

[Nutria]

"Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read.

That reminds me of the Kernighan quote, which I heartily agree with:

"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."

Re:OpenBSD fixed on Jan. 21, 2000

[Nutria]

Then if I want to do my own debugging, I should only put half my effort into coding!

Funny, and almost right.

Put all your brains, but half of your cleverness into coding.

IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

I have to admit, though, that I was young once, and foolish, and thought it was the height of brilliance to write code (especially C, but even Pascal) in as few lines as possible.

Re:OpenBSD fixed on Jan. 21, 2000

[Kjella]

IOW, use all your intellect to simplify the code, and only be "clever" (that's a mild pejorative if you haven't figured it out by now) when there's no other way to accomplish the task.

And the collorary to that: If you are (trying to be) clever, leave comments about what you're doing. Whoever might have to review/fix your code will greatly appriciate it. Remember, that person might be YOU. While I still try to be clever a little too often, it makes it incredibly much easier to fix.

Re:OpenBSD fixed on Jan. 21, 2000

[stoborrobots]

It sounds like you're thinking of the Underhanded C Contest [brainhz.com]... The 2005 results [brainhz.com] look something like what you're describing... :-)

HTH. Cheers.

Re:OpenBSD fixed on Jan. 21, 2000

[strabo]

March 10 would be more correct

More specifically, March 10th of 2006. Seven weeks ago.

Best part was the CVS log:

Fri Mar 10 17:29:51 2006 UTC (7 weeks, 4 days ago) by deraadt:
proper geteuid calls because suse hires people who mistype things

Re:OpenBSD fixed on Jan. 21, 2000

[Alioth]

The truth sometimes hurts. Theo de Raadt just doesn't dress it up. I wouldn't hire Theo as a diplomat (well, not unless I wanted to actually start a war), but I would hire him as someone who can write secure code. I don't care if he has no social skills; I'm after secure code. That's why we use OpenBSD for security critical things.

Related news

[LiquidCoooled]

In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.

Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".

Re:Related news

[rbochan]

"This message brought to you by AT&T"

Re:Related news

[PlusFiveTroll]

Should this be modded funny or sad?

It all depends...

[mistergin.net]

Depends,

Have you paid your Moses Fee?

(let my packets go....) [as sung to 'let my people go']

Re:Related news

[_Sprocket_]

Just because the NSA is listening to you, doesn't mean they're gonna make your decisions for you.

(that's the job of Congress and industry trade groups)

Re:Related news

[Anpheus]

They can only make your decisions for you when you use an unencrypted method of communication.

Re:Related news

[cgenman]

You can have my decision-making encryption power when you pull it from my cold... dead... Hey! What are you doing? It was just a metaphor! A metaphor! Wait! Noooo!

$#$#%... [signal lost]

Re:Related news

[Bush Pig]

What I'd really like to know is how come the code even compiled if it was missing a closing parenthesis somewhere. None of mine ever does in that circumstance.

Re:Related news

[x2A]

oh yeah, it was also missing the opening one, but it sounds like a bigger danger if they only point out the closing one was missing (OMG, it was left open!) ;-)

Re:Related news

[mattwarden]

You're misinterpreting what the problem was. It was a change from this:

if (getuid() == 0 || geteuid != 0)

to this:

if (getuid() == 0 || geteuid() != 0)

Re:Related news

[prockcore]

You're misinterpreting what the problem was. It was a change from this:

if (getuid() == 0 || geteuid != 0)

to this:

if (getuid() == 0 || geteuid() != 0)


This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

(And yes, gcc will throw a warning if you compare a function pointer with 0 instead of NULL)

Re:Related news

[Reverend528]

This is why stuff should compile *without warnings*. It drives me nuts to compile something and see hundreds of warnings spit out.

It drives me nuts too. That's why i use the -fsyntax-only option whenever I compile anything. It gets rid of the warnings so you know your code is safe!

Re:Related news

[Schraegstrichpunkt]

That better not be true... Since ANSI C says that NULL is 0.

I don't know about ANSI, but ISO/IEC 9899:1999(E) (a.k.a. "C99"), under section 7.17 "Common definitions <stddef.h>" states:

1 The following types and macros are defined in the standard header <stddef.h> . Some are also defined in other headers, as noted in their respective subclauses.

...

3 The macros are

NULL

which expands to an implementation-defined null pointer constant;

Under section 6.3.2.3 "Pointers", the "null po

Re:Caution: Sometimes 0 != NULL

[sholden]

Then the compiler is not compliant with the standard. Since it defined the constant 0 (and only the constant 0 not for example 1-1) in a pointer context as being converted to the NULL pointer at compile time. The only times 0 isn't correct is as an argument to a function with no prototype (which no one does anymore, right :) and as an argument to a varargs function call - since in both those cases there is no pointer context to trigger the conversion.

You need a better compiler.

Re:Related news

[fbjon]

It's not always matching because getuid != geteuid.

Re:Related news

[nuzak]

http://xorg.freedesktop.org/releases/X11R7.0/patch es/xorg-server-1.0.1-geteuid.diff [freedesktop.org]

I think you owe the GP an apology.

UIDs

[r00t]

The effective UID (euid) is changed when you run a setuid app, while the real UID (uid in this case, or ruid) is not.

The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.

There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.

Re:Related news

[dimator]

Can they get on the missing socks situation now, or what?

I just saw a story..

[ModernGeek]

..I just saw a story on digg (washes mouth out with pee to get bad taste out of my mouth), and noticed that the FAA just announced they will be running linux to track flights. Maybe there is a tie in-between this find and that announcement?

Re:Related news

[SleepyHappyDoc]

In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found

No, no, that's a flaw in X10, not X11. That missing remote behaviour is an undocumented feature.

Only one?

[Anonymous Coward]

They uncovered only one flaw? Sheesh.

Re:Only one?

[Frosty Piss]

They uncovered only one flaw? Sheesh.

Only one that they are telling us about...

Way to go, boys!

[Junior J. Junior III]

Kudos to the heroes who painstakingly reinserted the missing parenthesis!

Re:Way to go, boys!

[dimator]

This was like the 3rd time since I've been reading /. that I've laughed out loud. Nice work.

Another score for open source!

[MoxFulder]

The advantage of open source shines through once again! This couldn't have happened with MS Windows, that's for sure... without access to the source code, this bug couldn't have been discovered, let alone fixed so quickly.

(And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)

Re:Another score for open source!

[LegendLength]

Microsoft runs these bug-checker-programs on their code all the time.

Excluding Outlook Express I guess.

Re:

[account_deleted]

Comment removed based on user account deletion

Any word on the fix?

[FirstTimeCaller]

A missing parentheses in a bit of code is to blame...the flaw has already been corrected.

Any word on exactly what the fix was?

Re:Any word on the fix?

[metroplex]

Reinserting the parenthesis, duh

Re:Any word on the fix?

[RemovableBait]

* <-- Joke

* <-- Your Head

Re:Any word on the fix?

[poot_rootbeer]

Reinserting the parenthesis, duh

How do you know they didn't just remove the match-less parenthesis instead?

Re:Any word on the fix?

[RLiegh]

Would half a parenthesis be considered a word?

Re:Any word on the fix?

[fryguybob]

it was a missing pair of parentheses:

http://xorg.freedesktop.org/releases/X11R7.0/patch es/xorg-server-1.0.1-geteuid.diff [freedesktop.org]

http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html [freedesktop.org]

Success

[mytmouse]

Finally Homeland security has done something noteworthy. I'm glad this benefits the X11 community.

I wonder

[kevin_conaway]

I wonder if Miles Papazian discovered the flaw by reading the binary or by utilizing a machine-coded matrix?

Re:I wonder

[tcopeland]

> I wonder if Miles Papazian discovered the flaw
> by reading the binary or by utilizing a machine-coded matrix?

I don't know, but I bet Chloe O'Brian is lurking nearby. And she's probably scowling.

watch out for their patches, though

[Anonymous Coward]

#define ) ); Install_Patriot_PhoneHome();

OS X?

[nursegirl]

Any word on whether this vulnerability is a risk for those using x11 within osx? TFA mentioned that the X windowing system shipped with OS X without stating what level of risk exists.

Re:OS X?

[Carnildo]

OSX ships XFree86 4.3.0, which is not vulnerable.

Easy

[mobby_6kl]

If the compiler doesn't have a problem with unmatched parentheses, to prevent any such problems in the future, simply insert) closing) parentheses) instead) of) spaces).

Advisory

[Anonymous Coward]

If you're wondering, here is the relevant SUSE security advisory from 21.3 - http://www.novell.com/linux/security/advisories/20 06_16_xorgx11server.html [novell.com]

Crap.

[RLiegh]

I'm using debian 3.1. Is this something I'm going to have to run dist-update for? (the 'crap' is because I'd have to update over dialup).

Re:Crap.

[RLiegh]

,s/update/upgrade/g

Not Quite

[mattwarden]

Actually, it was not a missing parenthesis, but a missing parenthetical.

double r;
r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true);

And the patched code:

double r;
r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true); (just kidding!)

Missing *pair* of parentheses

[Chirs]

The fix was posted before, but the problem was that someone used "geteuid" rather than "geteuid()".

This results in making use of the function address rather than the return value of the function, which could cause difficulties.

Re:Missing *pair* of parentheses

[acoopersmith]

Actually, gcc never issued a peep about this code. Try it yourself - compile this with gcc -Wall:

#include <stdlib.h>
#include <unistd.h>

int main()
{
if (getuid() == 0 || geteuid != 0) {
return 1;
} else {
return 0;
}
}

gcc 3.4.3 says all is fine. You can make it complain if you change geteuid != 0 to !geteuid - then it points out "warning: the address of `geteuid', will always evaluate as `true'"

This is not a remote root vunerability

[Technician]

Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)

Re:This is not a remote root vunerability

[tokabola]

AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.

I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.

Re:This is not a remote root vunerability

[acoopersmith]

The exploit mentioned in this article cannot be exploited by a user who isn't logged into your system - you have to be able to run the Xorg command with certain options. See X.Org's advisory at http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html [freedesktop.org]

Missing the point.....

[TheDukePatio]

I see a ton of comments mod'd Funny, but what I'm surprised folks haven't focused on yet is the fact that it was found in OSS. The reason they're able to find, report, and get it fixed in a week is the fact that it's OSS. It's understandable that the DoHS is going to want to do a security audit on things like this.

I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.

Re:Missing the point.....

[ipfwadm]

On the other hand, because its OSS now all of the machines that remain unpatched have an exploit that is not only known, but but publicized by the developer, with diffs showing *exactly* what line of code the error is on.

While I hate to sound like all the other OSS apologists that have posted so far ("yeah there's an exploit, but think of how many we could find if we could run it on the Windows source!" and other such tripe that ignores the fact that a serious bug was found in OSS software), your argument is a bunch of crap. You're basically saying that exploits in closed-source software are unknown and unpublicized, which is ridiculous.

As for your Apache example, it would be just as simple to see what version of IIS a machine is running and look through MS KB to find the known exploits against it. Or look at bugtraq. Or anywhere else on the Internet. Just because the source is a secret doesn't mean the details of the available exploits are too.

Oh and knowing the line of source code on which that the error exists is entirely irrelevant to the discussion -- having that knowledge doesn't make using an exploit any easier or more difficult. It may assist in developing new exploits, but when attempting to use one that has been found, that knowledge is superfluous.

Critique...

[jd]

1. Knowing the line won't help you figure out the exploit
   
2. Whether anyone tells you about a bug or not, you're always capable of scanning source - or even binaries - in search of unknown exploits
   
3. You knowing about a bug doesn't alter the odds of "Them" knowing about a bug - it only alters the odds of you fixing it
   
4. X11 bugs are rarely externally exploitable, as not many people run X sessions over the public internet and therefore those ports will be blocked at the corporate (or personal) firewall
   
5. The mathematical model of conflict ("Game Theory") only has a solution (ie: win no matter what the opponent does) when both sides know absolutely everything, ergo the only way to establish a sane IT security policy is to assume the attacker knows all the defects and exploits that exist, whether they are published or not
   

That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.

(At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)

Wow. Homeland Security....

[tomq123]

is getting close to being able to do what they portray on 24.

Jack: I'm running out of time. I need that salelite image.
Chloe: I opened a socket into a NASA server and retasking the satelite.
Jack: Great, download the image to my PDA.
Chloe: I need your IP address.
Jack: 1.2.123.129
Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
Jack: I've got it. Thanks Chloe.
Chloe: Whatever...

Where was the warning?

[The Pim]

There are a number of interesting issues with this bug and how it's being reported.

• Never mind that the bad code is valid C, it's insane that it didn't generate a warning. I hope GCC has the option, and security sensitive code should be built with as many warning enabled as possible.
• Code that's conditional on "whether I'm root" is a hole waiting to open. Must better to have a separate wrapper that is setuid and accepts a constricted set of options, then calls the real program (which is not setuid).
• Given that X is a network service, most commonly run on single-user machines, a local root vulnerability (while egregious) is hardly a "worst-case scenario".
• This appears to be an effective use of government funds.

the usual confusion

[penguin-collective]

There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.

It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.

seriously?

[YesIAmAScript]

In concept, there is a separate protocol and implementation of X. But the source has been available under a very permissive license since the very beginning. Because of this, the only thing I've ever seen that was reimplemented was the server (window server), everything else has just been compiled directly from the reference sources.

And even those window servers are compiled from sources derived from the reference sources, with patches.

Do you actually know of any implementations of X other than the two you

Re:the usual confusion

[haroldhunt]

Uhh... coming from someone with 5 years of experience in the X Window System, your statement that X11 refers to a protocol and not a codebase is overly pedantic and not truly reflective of reality.

The name 'X11' effectively refers to a code base because the 'sample implementation', which was extended for specific hardware by XFree86 and X.org, is the basis of almost all X Servers in existance. For example, Sun and HP both ship their own X Servers, but the base upon which they implemented their device-depen

Mac OS X Tiger

[themadplasterer]

Tiger shipped with (X11 1.1 - XFree86 4.4.0) and X11R6.9.0 and X11R7.0.0 are forked from that. So it could well affect Mac OS X. If it does it will be interesting to see how long it takes Apple to provide an update if at all, given that it's open source

Re:Mac OS X Tiger

[EMR]

Home land security is WAY behind on things OR eweek is way behind on things. This was fixed back in March and ONLY affects X.org 6.9 adn 7.0 so Mac OS X is unaffected.

https://bugs.freedesktop.org/show_bug.cgi?id=6213 [freedesktop.org]

Difference

[suv4x4]

That's the difference between closed source and open source I guess...

Critical vulnerability in X11, missing parens are to blame, report: "missing parens in code leaves X11 vulnerable, the problem is fixed."

--vs--

Critical vulnerability in Windows, missing parens are to blame (but that's under NDA), report: "the incompetent programmers of the Redmont monopolist did it again, your Windows is totally open to hackers due to a bad, bad vulnerability. While we're on this, let's discuss also how OSX and Linux are infinitely cooler than Windows will ever be, and how Windows users are clueless idiots."

Re:Here is the actual flaw:

[eln]

Shouldn't that be:

(X11 sucks monkey cock

Re:Already Corrected?

[Vyvyan Basterd]

Why are you running X11 on your servers?

Re:Already Corrected?

[Anonymous Coward]

Maybe it's an X11 server.

Re:Already Corrected?

[cortana]

In which case it won't be running the X server, which is the program in which this flaw resides. :)

Re:Already Corrected?

[Jason Earl]

Your servers are running X? What for?

Re:Already Corrected?

[Neil Watson]

Certain applications, e.g. Oracle and DB2, highly recommend or even force an X based installation procedure.

Re:Already Corrected?

[wobblie]

uh, you display it somewhere else.

Re:Already Corrected?

[Neil Watson]

Please explain that comment.

Re:Already Corrected?

[Afrosheen]

Still no argument. You install X11, install whatever program absolutely requires it, then uninstall it after you're finished. For the lazier, you just take it out of the startup sequence and leave it installed but never running..just in case you need it again sometime. From a security standpoint the former is better than the latter but sometimes convenience gets first priority.

Re:Already Corrected?

[Karma Farmer]

Certain applications, e.g. Oracle and DB2, highly recommend or even force an X based installation procedure.

Oracle installation runs as an X11 client, and requires that only the client libraries be installed. The X11 server runs on the administrator's desktop.

Of course, TFA doesn't bother to explain if the hole is in the server or the client libraries. I'm assuming they mean the server, but who the hell knows?

Agree with the sentiment, but....

[Junta]

Unfortunately, the distros compete with the likes of Windows. As such, though technically speaking X on a multi-user system of any remote importance is a bad idea, if you shrug off X on servers Windows administrators may not like it as much. Install Red Hat or SuSE server oriented distributions and by default you still end up with a X environment. Good administrators know not to run X and it is powerful and even more convenient to run X apps remotely or inside a detachable VNC session. For small busines

Why?

[Junta]

A linux terminal server need only the X libraries, not even a single instance of an X server, which generally requires elevated privileges to run. I think I've seen work to correct that, but as it stands at large an X server runs as root and has to arbitrate security, whereas X applications linked to X libraries, displaying to a thin client over the network, the server has no root level code and only the thin client filesystem/system is at any risk.

Re:Already Corrected?

[KiloByte]

blah blah DSA-1234 blah blah
*triggered*! Doing: ssh foo;su -;apt-get update;apt-get dist-upgrade; ssh bar...

What auto-update services were you talking about, again?

As restarting most daemons is likely to cause disruption, you can't do this without thinking; thus, fully automatic updates are a bad idea unless the users are mindless. As servers are not operated by monkeys but by people who are *supposed* to have a clue, notification is a must, but actually applying the update shouldn't be done as a cronjob.

Only 6.9 and 7.0

[blirp]

but the point is this ISN'T updated on machines around the world. It's updated on a few machines that HAVE some sort of auto-update service

As this only affects 6.9 and 7.0 (RTFM), you'd need some form of auto-update to actually be exposed. Most distroes are still at 6.8.

M.

Re:Only 6.9 and 7.0

[blirp]

(RTFM)

... or Article, whatever suits you...

I sure whish I could edit my own posts sometimes.

M.

Re:Already Corrected?

[a_n_d_e_r_s]

No it won't reboot your servers - because one don't have to reboot a Linux system to upgrade the X Window System.

Its Linux we're talking about.

It might upgrade X11 though - but thats a good thing.

Re:Already Corrected?

[Just Some Guy]

Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?

$ dig -t cname LinuxUpdate.linux.com
LinuxUpdate.linux.com. 86400 IN CNAME ftp.us.debian.org.
LinuxUpdate.linux.com. 86400 IN CNAME portsnap.freebsd.org.
LinuxUpdate.linux.com. 86400 IN CNAME ftp.ubuntu.com.

$ dig -t txt LinuxUpdate.linux.com
LinuxUpdate.linux.com. 86400 IN TXT "Tonight, she comes."

Yes.

Re:Sometimes gentoo is a pain.

[Anonymous Coward]

The impression I get is that it shouldn't be easily exploitable. By default, Gentoo (and any sensible distro) configures X11 to disable remote connections. Also, you should have some sort of firewall blocking the relevant ports anyway. If it is really exploitable, the attacker would probably need access to the machine anyway (at which point, you're largely already screwed).

Not reading the article doesn't seem to be much of a problem. It's really not very clear. For example, is this a problem with X.org X11 specifically? Is Apple's X11.app affected? The article just says the problem is with "The X Window System", without mentioning any particular implementations.

It took some digging to find the actual advisory:

http://lists.freedesktop.org/archives/xorg/2006-Ma y/015136.html [freedesktop.org]

Re:Sometimes gentoo is a pain.

[Carnildo]

If you're running Gentoo stable, then you're safe: you've got Xorg 6.8.2, which is not vulnerable.

If you're running ~x86, then you've got the vulnerable version. It's a local exploit, one that is trivially simple for an experienced programmer to use.

Re:Sometimes gentoo is a pain.

[iabervon]

All of the affected versions are masked for testing under Gentoo, so chances are that you're not using an affected version anyway. In any case, it's evidently trivial for a local user starting an xserver to cause it to execute arbitrary code, but there's no way to attack a running server locally or remotely.

Re:So does this mean?

[bunratty]

Or maybe even syntax rules would catch it!

Little known fact...

[Junta]

X11 is actually written entirely in LISP, and therefore there are too many parentheses for a mere mortal to ever get straight.

The compiler just does what you ask.

[EmbeddedJanitor]

if you said a + b * c but you really wanted (a + b) * c the compiler won't bleat.

Re:So does this mean?

[AtomicX]

In most cases the compiler will catch errors caused by typos and omissions, but it is perfectly possible to write code containing typos or missing characters which are still valid.

I had a quick look on Coverity's website and this appears to be the relevant line of code:

- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)

In the case of the first line, "geteuid != 0" is valid C code but checks whether or not the address of the geteuid function is 0.

The second line is what the programmer intended to write, which calls the geteuid function and checks the value returned by that function.

The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation), and more extensive static code analysis. In the case of Xorg and the kernel, moving to a higher level language isn't really an option (not yet, at least).

Re:So does this mean?

[Anthony Liguori]

The problem (if there is one) lies with the language, not the compiler, since both of the above lines are legal C code.
Solutions to this kind of problem probably involve both a movement towards higher level languages (which are typically more verbose and don't allow low-level memory manipulation)

I think we can both agree Python is a higher level language. And guess what:

import os

if os.getuid() != 0 or os.geteuid = 0:

is completely valid. It's not high level vs low level languages here that's at issue. It'

Re:So does this mean?

[teslar]

Well, from TFA: "This was caused by something as seemingly harmless as a missing closing parenthesis"

So no, it is indeed just a closing paranthesis that is missing. Why exactly that bloke considered this 'seemingly harmless', I don't know though... that is rather like saying "The car crash was caused by something as seemingly harmless as a severed brakeline."

Re:How did it get through?

[moro_666]

i don't think that the flaw is really a missing ')' , it's a misplaced ')'

as in example if(somefunc(foo > 0)) {bar}

it compiles alright and even works, but it really isnt somefunc(foo) > 0 that is getting tested. the mistake is an easy one to make, and most modern languages consider it valid (even java if the func accepts a boolean argument).

i never really understood WHY is the X run as root, write a god damn device wrapper that keeps the device handlers separately in root permissions and keep the X it

Re:How did it get through?

[sl4shd0rk]

well ..

if (((people((wouldstop() == TRUE)(((&& (using_shitty_shortcuts() == FALSE))))))))
{ ...
}

It's possible that something like this may be easier to spot.
And while we're at it, start using your curly braces correctly as well.

Re:Should have written it in Lisp!

[WindBourne]

Had X11 been written in Lisp, any decent compiler would have spotted the missing parenthesis right away!

That is used as test each semester for MIT students. So, if it were available on the web, then it would remove an afternoons work.

Re:I don't understand the intention of the fixed c

[acoopersmith]

It's in code that allows you to do things like load code modules from other paths, so it's only allowed if you're already root or not running setuid-root. (It should probably check that you're not running setuid at all, but there's no real point having Xorg setuid to anyone but root, so no one has added that check.)