OSNews

Fixing the hole is one thing. Updating all those millions of installations of vulnerable X out there is another.

As for OS X ... last time I checked, they weren't running X11. By reading the latest news, though, you'd think that if you're running OS X, hackers will steal your house and first-born baby.

Heh.

I wasn't referring to how quickly X Window System gets patched on OS X, but to how quickly Apple patch the OS in general.

OK, so technically X isn't part of the (GNU/)Linux OS, either! But hopefully I'm getting my point across.

"Fixing the hole is one thing. Updating all those millions of installations of vulnerable X out there is another."

One of the reasons people should just give up and use a "real" distribution if they're going to use *nix as a desktop OS.

I can't speak for others, but I had a nice little clean alert come from my notification area telling me updates were available. A couple were for X so I highlighted them and read change logs, clicked update, and was finished.

I'd imagine even Fedora would have such a nice system.

"This was caused by something as seemingly harmless as a missing closing parenthesis," Chelf said,
I'm not a programmer, but that doesn't seem like something hard to fix.
Am I missing something?

No doubt fixing it wasn't the problem; just finding it.

Finding an aeroplane in an airport isn't hard, but finding it in a desert is.

"This was caused by something as seemingly harmless as a missing closing parenthesis," Chelf said,
I'm not a programmer, but that doesn't seem like something hard to fix.

Wouldn't such code fail to compile?

It is fixed. The offending lines were because they used geteuid as a pointer and not a function.

It looked like, but wasn't exactly:
if (geteuid)
...

Where it should be
if (geteuid())
...


C lets you do this, but it's very rare that you'd want to so security scanners look for it.

Of course, the check is if you're root (id 0, or false in c) so you can see how it's a priv escalation.
I'm not sure, but I think it only works if the X11 server is running as root. It is possible for it not to be, as OS X runs it when it runs it. And some do it on Linux and BSD as well.

I think I read somewhere that this had already been fixed

You did read it somewhere: the article itself, where they say that it was fixed within one week of being reported.

The other poster (Tom K) might well have thought that the OS X comment implied you thought OS X uses X11 not Quartz. Of course OS X do ship an X server on their install DVD and for those of us who have it installed it will be interesting to see how long it takes for their software update to install a patched/fixed version.

Edited 2006-05-03 22:09