Forgot your password?
typodupeerror
X Bug Security

23-Year-Old X11 Server Security Vulnerability Discovered 213

Posted by Unknown Lamer
from the stack-smashing-for-fun-and-profit dept.
An anonymous reader writes "The recent report of X11/X.Org security in bad shape rings more truth today. The X.Org Foundation announced today that they've found a X11 security issue that dates back to 1991. The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility." There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.
This discussion has been archived. No new comments can be posted.

23-Year-Old X11 Server Security Vulnerability Discovered

Comments Filter:
  • Dangerous function (Score:5, Informative)

    by jones_supa (887896) on Wednesday January 08, 2014 @11:24AM (#45897793)

    There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.

    And watch out for scanf(). There's a reason Microsoft brought scanf_s() and others [microsoft.com], which the official C11 standard adopted later too.

  • by 10101001 10101001 (732688) on Wednesday January 08, 2014 @11:37AM (#45897917) Journal

    Did you actually even bother checking this? No, most modern X11 servers run as root so they can* have hardware access to GLX and DRM. But, please tell me, which distro or OS do you run that runs your X11 server as non-root? Because I'd love to use a system like that.

    *Technically, privilege separation is quite possible on these points, which has been done in OpenBSD AFAIK, but very few people use OpenBSD and I think the whole point of your post was about what the vast majority of people use. Otherwise, you're just quibbling over the point without stating it that most people don't run a "modern" X11 server.

  • Re: scary (Score:0, Informative)

    by Anonymous Coward on Wednesday January 08, 2014 @11:39AM (#45897937)

    Uhh bonehead the X binary is suid-root so it can mmap the video RAM and device registers. Even though it drops root after it holds the keys to the kingdom. It can cause the graphics card to DMA over the kernel.

  • by ajdlinux (913987) on Wednesday January 08, 2014 @11:39AM (#45897941) Homepage Journal

    My Debian unstable installation would beg to differ.

    $ ps aux
    [...]
    root 24768 6.1 0.4 183832 34716 tty7 Ss+ Jan08 14:15 /usr/bin/X :0 vt7 -br -nolisten tcp -auth /var/run/xauth/A:0-86aX4a

  • by peppepz (1311345) on Wednesday January 08, 2014 @11:47AM (#45898029)
    Those fonts are read by fontconfig and freetype, while the bug is in the server-side font support, the one where you must run mkfontdir and possibly edit Xorg.conf to install new fonts. I don't think any distribution allows non-root users to do that.
  • Did you actually bother to check on multiple platforms? It's only on FreeBSD that the X server runs on root


    drink@alexander:~$ cat /etc/issue
    Ubuntu 13.10 \n \l

    drink@alexander:~$ ps auxw | grep X
    root 1267 2.3 1.1 348276 96612 tty7 Ss+ Jan05 105:36 /usr/bin/X -core :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

    hmm.

  • Re:Many eyes... (Score:5, Informative)

    by garyebickford (222422) <gar37bicNO@SPAMgmail.com> on Wednesday January 08, 2014 @12:51PM (#45898703)

    Actually it was shown back in the late 1970s that it is essentially impossible for 'black box' testing to discover more than about 30% of the bugs in a sufficiently large code base. It's based on the NP-complete problem of following all possible variations of the branches using all possible combinations of input, both valid and invalid. It's fairly easy to build a one page program that can not effectively be completely tested. It was also shown that, given good programming practice, roughly 70% of the bugs are built into the design (before a line of code has been written). Then, finally, a significant number/percentage of bugs are of the sort where it's a judgement call whether it's a bug or a feature.

    Source: I used to run a Software Quality Assurance Workshop for my then-company, and did the research. A few programming practices have changed, and the repertoire of automated tools has greatly increased in both quantity and sophistication, but average program size and the list of asynchronous externalities has ballooned by two or three orders of magnitude, so there we are.

  • Really? A quick look at Solaris11, Scientific Linux, and Fedora all say root. If I had my IRIX box up and running I'd bet it would say root too (granted, it's XSGI, not XOrg, so this probably doesn't apply). My HP-UX and AIX boxes don't appear to be running any form of X

    From SL 6.4:
    [armanox@dionysus ~]$ cat /etc/issue
    Scientific Linux release 6.4 (Carbon)
    Kernel \r on an \m

    [armanox@dionysus ~]$ ps auxw | grep X
    root 2413 1.1 0.8 150984 34360 tty1 Ss+ 04:05 8:04 /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-Ms7KTS/database -nolisten tcp vt1
    armanox 14804 0.0 0.0 103252 848 pts/2 S+ 15:52 0:00 grep X
    [armanox@dionysus ~]$ ps -ef | grep X
    root 2413 2410 1 04:05 tty1 00:08:04 /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-Ms7KTS/database -nolisten tcp vt1
    armanox 14825 14767 0 15:53 pts/2 00:00:00 grep X
    [armanox@dionysus ~]$

    and Fedora 18:
    [armanox@hecate ~]$ cat /etc/issue
    Fedora release 18 (Spherical Cow)
    Kernel \r on an \m (\l)

    [armanox@hecate ~]$ ps -ef | grep X
    root 596 1 0 00:13 ? 00:00:00 /usr/bin/abrt-watch-log -F Backtrace /var/log/Xorg.0.log -- /usr/bin/abrt-dump-xorg -xD
    root 935 797 0 00:13 tty1 00:00:18 /usr/bin/Xorg :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-nsglUa/database -seat seat0 -nolisten tcp vt1
    armanox 25526 1866 0 11:54 pts/1 00:00:00 grep --color=auto X
    [armanox@hecate ~]$

    Solaris on Sparc:
    Last login: Mon Jan 6 17:28:37 2014 from lab-files-001.l
    Oracle Corporation SunOS 5.11 11.0 November 2011
    admin@solarisvmsrv1:~$ ps -ef | grep X
            root 1308 1303 0 Nov 06 vt/7 102:15 /usr/bin/Xorg :0 -nolisten tcp -br -novtswitch -auth /tmp/gdm-auth-cookies-pEay
          admin 41176 41171 0 11:35:42 pts/1 0:00 grep X
    admin@solarisvmsrv1:~$

There are running jobs. Why don't you go chase them?

Working...