May 3rd, 2006

  • evan

type error -> security vulnerability

Critical X bug. Normal users can use it to get root.

The bug was:
if (getuid() == 0 || geteuid != 0)

Reasons it shouldn't have happened:
  • Why can you compare pointers and integers without a compiler warning? (This actually surprises me: it appears to be true even in C++...?)
  • Why does X run as root? (Even if it tries to drop privileges, this bug was in the startup code.) (I know the answer to this, but, sigh.)