Coverity catches X Window Security Hole
Coverity catches X Window Security Hole
Posted May 3, 2006 3:27 UTC (Wed) by drag (guest, #31333)In reply to: Coverity catches X Window Security Hole by bk
Parent article: Coverity catches X Window Security Hole
They found it, nobody else did. They deserve credit for it.
It doesn't matter that it's easily detected by humans when no human has or is going to look closely enough to spot something like that. If they didn't detect it then it would still be sitting there.
This is the whole point behind automated testing.
Remember, get enough eyes and then any code is transparent.. even if some of these eyes are computer applications.
Here is what you can do (I'd try but I don't know enough about this sort of stuff):
Write a program that goes thru the code and looks for this sort of error. A script or perl or whatever.. It just goes through the code looking for errors caused by missing parathesis of this nature.
If it has happenned once I bet there is a 90% chance that this error has occured in other parts of X.org's code base. Also it probably exists in other applications.
Posted May 3, 2006 3:57 UTC (Wed)
by kirkengaard (guest, #15022)
[Link]
Posted May 3, 2006 5:59 UTC (Wed)
by TwoTimeGrime (guest, #11688)
[Link] (4 responses)
Actually, the OpenBSD people found and fixed it almost two months ago.
See http://www.openbsd.org/cgi-bin/cvsweb/XF4/xc/programs/Xse...
Posted May 3, 2006 6:38 UTC (Wed)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted May 3, 2006 16:37 UTC (Wed)
by TwoTimeGrime (guest, #11688)
[Link]
They might not have known that it could be a security vulnerability. They could have been fixing a typo in the code. As another poster pointed out, X.Org fixed it about two months ago as well. Coverity found it again independently but also recognized the significance of the problem.
Posted May 3, 2006 6:45 UTC (Wed)
by airlied (subscriber, #9104)
[Link]
Posted May 3, 2006 7:39 UTC (Wed)
by trey (guest, #37500)
[Link]
http://marc.theaimsgroup.com/?l=openbsd-security-announce...
Hooah. Alan Cox says Open Source software is always late -- here we have a need, and here we have a description for the tool to fix the problem, and so now somebody will hopefully be moved to scratch that particular itch.Coverity catches X Window Security Hole
> They found it, nobody else did.Coverity catches X Window Security Hole
... and, as usual, didn't bother to actually tell anyone else.Coverity catches X Window Security Hole
> ... and, as usual, didn't bother to actually tell anyone else.Coverity catches X Window Security Hole
X fixed it months ago as well, OpenBSD only found about it from X.org...Coverity catches X Window Security Hole
Actually, OpenBSD announced the fix today:Coverity catches X Window Security Hole