[GRLUG] critical vulnerability in the X Window System
Raymond McLaughlin
driveray at ameritech.net
Wed May 3 14:28:38 EDT 2006
<http://www.eweek.com/article2/0,1895,1956652,00.asp>
"It could be exploited to allow local users to execute code with root
privileges, giving them the ability to overwrite system files or initiate
denial-of-service attacks."
Highly plausible because X itself runs with root privileges
From the article: "...the flaw resulted from a missing parenthesis on a small
piece of the program that checked the ID of the user." I'm surprised it
compiled. The compiler should have at least given a warning message.
The article also says "The flaw, which affects X11R6.9.0 and X11R7.0.0, was
fixed within a week of its discovery,... " but doesn't give a discovery date.
Anyone seen an update in any distro to fix this? I ran SuSE online update for
the first time in over a week, and saw no mention of X and authentication.
Mildly concerned
Raymond McLaughlin
More information about the grlug
mailing list