Secure Coding mailing list archives
HNS - Biggest X Window security hole since 2000
From: tholleb at teknowledge.com (Tim Hollebeek)
Date: Mon, 8 May 2006 10:08:31 -0700
So, it sounds like a single byte change in the entire X src tree could fix a bug that could give an attacker complete control of a system. Lovely...
For the curious out there, it isn't one byte, it's two. It is a PAIR
of parenthesis that are missing, not a single one, like many of the
non-technical summaries imply.
Basically, the flaw is:
if (getuid() == 0 || geteuid == 0)
doesn't do what you intended!
-Tim
P.S. Note that this can be considered a type error if you're pedantic
enough ... it requires:
(1) an OS that uses integral types as user identifiers
(2) a language that will implicitly convert functions to pointers
(3) a language that allows pointer comparisons to zero
Current thread:
- HNS - Biggest X Window security hole since 2000 Kenneth R. van Wyk (May 04)
- HNS - Biggest X Window security hole since 2000 Gadi Evron (May 04)
- HNS - Biggest X Window security hole since 2000 Kenneth R. van Wyk (May 04)
- HNS - Biggest X Window security hole since 2000 Greenarrow 1 (May 04)
- HNS - Biggest X Window security hole since 2000 Kenneth R. van Wyk (May 04)
- HNS - Biggest X Window security hole since 2000 ljknews (May 05)
- HNS - Biggest X Window security hole since 2000 der Mouse (May 06)
- HNS - Biggest X Window security hole since 2000 Robert C. Seacord (May 08)
- HNS - Biggest X Window security hole since 2000 Tim Hollebeek (May 08)
- HNS - Biggest X Window security hole since 2000 Florian Weimer (May 07)
- HNS - Biggest X Window security hole since 2000 der Mouse (May 06)
- HNS - Biggest X Window security hole since 2000 Gadi Evron (May 04)