[GRLUG] critical vulnerability in the X Window System
driveray at ameritech.net
Wed May 3 17:53:23 EDT 2006
Roberto Villarreal wrote:
> I read about this on slashdot, and from reading from the comments, it appears
> that the article writer used the wrong word... should have been "parentheses"
> (note the plurality). From what I read, the code read:
> if (getuid() == 0 || geteuid != 0)
> where it should have read:
> if (getuid() == 0 || geteuid() != 0)
> The posters claimed (I have not verified this) that gcc does not issue a
> warning, even with -Wall.
> As to your actual question... I don't know :-)
> Well, the diff is like this:
> - if (getuid() == 0 || geteuid != 0)
> + if (getuid() == 0 || geteuid() != 0)
> So, they ended up comparing a pointer (to the function geteuid)
> to 0, instead of comparing the return value of a function call to 0.
> Both are legitimate, because 0 has to be equivilant to a null pointer.
> Some have said, gcc should know enough about the nature of the function to
> issue a warning if invoked with -Wall, but I suspect the X source spews
> so many warnings no one would have noticed.
> Apparantly this bug was actually fixed a few months ago. Today
> there is another bug:
> Which it looks like all the major distros have released fixes
> for (presumably fixing the other bug too)
More information about the grlug