On May 2, the folks at Coverity sent out
a press release congratulating
themselves on having found a serious vulnerability (the "BIGGEST X WINDOW
SECURITY HOLE SINCE 2000") in the X.Org server.
Articles appeared in the mainstream press on a "new" problem on Linux (and
other) systems. Linux users, however, rested easy, secure in the knowledge
that this problem, first disclosed on March 20, had been fixed long
before. In that context, however, it is interesting to note that the
LWN vulnerability entry for this
problem shows only three distributor updates, from Fedora, Mandriva, and
SUSE.
On the same day as the Coverity announcement, the X.Org developers
disclosed another
vulnerability which could result in root access for anybody who can
access an X server. Seven distributors responded this time, all within
three days. The one big name missing from the list of updates this time
around is Debian.
At a first glance, it would appear that a number of distributions remain
vulnerable to the first problem, and Debian still has to update both. The
real situation is rather better than that, but it still merits a look.
Perhaps there is a lesson or two here.
The first vulnerability remains unpatched by a number of distributors,
including Gentoo, Red Hat, Slackware, and Ubuntu. They have a good excuse,
though: they all ship X.Org 6.8.2, and this problem was introduced in
version 6.9.0. These distributors, having not shipped the vulnerable code
in the first place, just didn't feel the need to rush out an update. It is
hard to fault these distributors for relaxing in the knowledge that they
had dodged that particular bullet, but, at the same time, it seems likely
that at least some of their users were wondering where the update was -
especially after the Coverity press release came out. It
would cost distributors very little to issue an advisory saying "we are not
vulnerable" in cases like this. The additional peace of mind for users
would be more than worth it.
The second vulnerability, which does affect all X.Org users, elicited a
nearly immediate response from most distributors. The one exception is
Debian, and therein lies a different story.
Debian's stable distribution does not include X.Org at all. Instead, this
much-delayed release went out last year with the old XFree86 code - Debian
is the last major distribution to ship that code. Your editor downloaded the
XFree86 4.3.0 source, dusted off the cobwebs, and was able to convince
himself that the X.Org buffer overflow vulnerability is not present there.
So Debian did not need to issue an update, though, once again, a "don't
worry" advisory would not have hurt. For those using X.Org via Debian backports, an update (based on
the Ubuntu patch) has been made available.
The fact that vulnerabilities have been found in X.Org, rather than
XFree86, should not be seen as an indication that X.Org is a buggier
product. Instead, these disclosures reflect the fact that the X.Org code
is receiving a much higher level of scrutiny. It is doubtful that the
XFree86 code is free of vulnerabilities; it is just that few people are
looking for them. A quick glance at the XFree86 changelog shows
a couple of surprising things:
- Development of XFree86 has not stopped, though it does not appear to
be moving forward at any great pace.
- There are a number of entries like "fix an array overrun," "fix a
double-free problem," and numerous attempts to deal with "xterm's setgid
issue" - all since March. These have the look of security-related
problems, but no advisories have been issued. Whether
any of them are relevant to Debian's archaic 4.3.0 version is
unclear. Equally unclear, however, is whether anybody is watching
this stream of fixes to see whether Debian should be issuing updates;
the current Debian package was uploaded last August.
Replacing something as fundamental as the X distribution in a stable Debian
release is a daunting prospect, so it is not surprising that XFree86
remains in place after all this time. To rely on such musty old software
has its risks, however. In less than one year, the Debian "etch" release
should sweep XFree86 off of its remaining Linux desktops. In the mean
time, Debian users are running a crucial package which few people actively
care about.
Comments (13 posted)
