Secure Coding mailing list archives
HNS - Biggest X Window security hole since 2000
From: tholleb at teknowledge.com (Tim Hollebeek)
Date: Mon, 8 May 2006 10:08:31 -0700
So, it sounds like a single byte change in the entire X src tree could fix a bug that could give an attacker complete control of a system. Lovely...
For the curious out there, it isn't one byte, it's two. It is a PAIR of parenthesis that are missing, not a single one, like many of the non-technical summaries imply. Basically, the flaw is: if (getuid() == 0 || geteuid == 0) doesn't do what you intended! -Tim P.S. Note that this can be considered a type error if you're pedantic enough ... it requires: (1) an OS that uses integral types as user identifiers (2) a language that will implicitly convert functions to pointers (3) a language that allows pointer comparisons to zero
Current thread:
- HNS - Biggest X Window security hole since 2000 Kenneth R. van Wyk (May 04)
- HNS - Biggest X Window security hole since 2000 Gadi Evron (May 04)
- HNS - Biggest X Window security hole since 2000 Kenneth R. van Wyk (May 04)
- HNS - Biggest X Window security hole since 2000 Greenarrow 1 (May 04)
- HNS - Biggest X Window security hole since 2000 Kenneth R. van Wyk (May 04)
- HNS - Biggest X Window security hole since 2000 ljknews (May 05)
- HNS - Biggest X Window security hole since 2000 der Mouse (May 06)
- HNS - Biggest X Window security hole since 2000 Robert C. Seacord (May 08)
- HNS - Biggest X Window security hole since 2000 Tim Hollebeek (May 08)
- HNS - Biggest X Window security hole since 2000 Florian Weimer (May 07)
- HNS - Biggest X Window security hole since 2000 der Mouse (May 06)
- HNS - Biggest X Window security hole since 2000 Gadi Evron (May 04)