A bug-hunt funded by the US government has tracked down a serious security flaw in Linux's X Window System, caused by a missing parenthesis.
The Department of Homeland Security (DHS) launched the Vulnerability Discovery and Remediation Open Source Hardening Project in January, analysing 31 major open source programs, and some of its results were published in March. This week Coverity, one of the three organisations carrying out the $1.25 million programme, revealed that the project had discovered and fixed what it called the "biggest X Window security hole since 2000".
X Window provides the basic graphical interface capabilities used almost universally on Unix, Unix-like and Unix-derived systems, such as Linux. It's also available as an option for Mac OS X.
The flaw, spotted using Coverity's automated analysis software, was the sort of thing "that we find once every three to six years, and is very close to X's worst case scenarios in terms of security," said Daniel Stone, a release manager for the X.Org Foundation, in a statement.
The bug was found in versions X11R6.9.0 and X11R7.0.0, the first major X Window releases in a decade, issued in December 2005.
It was due to a missing parenthesis in the software checking the ID of the user, according to Coverity. Despite the seeming triviality of the mistake, it allowed local users to execute code with root privileges, the company said. The bug was fixed within a week.
Coverity said it has put in a system designed to prevent new defects from making their way into the code base.
Coverity is providing its analysis software for the DHS project, with Stanford University engineers managing it and providing a public bug database. Symantec is also part of the project.
The project is auditing the open source programs that underly critical US infrastructure such as dams, power grids and the highway system. Programs under scrutiny include Apache, FreeBSD, GIMP Tool Kit library, Linux, Mozilla, MySQL, PostgreSQL and Sendmail.
It has been well received by developers on some projects such as X Window System and PostgreSQL, while others, such as Ben Laurie, a chief developer of Apache, have been more critical. Laurie said the project funds bug-hunting but doesn't necessarily make a contribution to fixing the problems discovered.
Laurie has also criticised the project for coming up with large numbers of false positives in Apache.