At 11:12 AM -0400 5/4/06, Kenneth R. van Wyk wrote: > Content-Type: multipart/signed; boundary="nextPart1887150.2DlSXmIMA5"; > protocol="application/pgp-signature"; micalg=pgp-sha1 > Content-Transfer-Encoding: 7bit > > Stories about this (below) X bug and the DHS-sponsored project that found it > have been floating around the net all week. This story caught my eye, > though: > > http://www.net-security.org/secworld.php?id=3994 > > The author claims, "This flaw, caused by something as seemingly harmless as a > missing closing parenthesis, allowed local users to execute code with root
Certainly that part is OS-specific. On my VMS machine, X-windows processes do not run as root. > privileges, giving them the ability to overwrite system files or initiate > denial of service attacks." > > So, it sounds like a single byte change in the entire X src tree could fix a > bug that could give an attacker complete control of a system. Lovely... -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
