Announcement

Collapse
No announcement yet.

Another X.Org Security Bug Found, Dates Back To 1991

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Another X.Org Security Bug Found, Dates Back To 1991

    Phoronix: Another X.Org Security Bug Found, Dates Back To 1991

    Another X.Org Security Advisory had to be publicly issued today to make known a buffer overflow in an X.Org library that's been present in every X11 release from X11R5 and the code was completed way back in 1991...

    http://www.phoronix.com/vr.php?view=MTU2Mjg

  • #2
    Someone should track records for longest-running security bugs in X. 23 years sounds about right for the current record

    Comment


    • #3
      I can just imagine how much shit is going around and swimming and singing inside Xorg's source code...

      Comment


      • #4
        "given enough eyeballs, all bugs are shallow"

        http://en.wikipedia.org/wiki/Linus's_Law

        after a some time...

        Comment


        • #5
          Originally posted by michal View Post
          "given enough eyeballs, all bugs are shallow"

          http://en.wikipedia.org/wiki/Linus's_Law

          after a some time...

          There weren't enough eyeballs because most people who dare to look at the abomination of the X source code tend to go blind (and clinically insane) very quickly. Note that it was an automated tool that found the bug

          Comment


          • #6
            X.Org: Constantly being improved.

            Comment


            • #7
              Originally posted by michal View Post
              "given enough eyeballs, all bugs are shallow"

              http://en.wikipedia.org/wiki/Linus's_Law

              after a some time...
              "In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".".

              Comment


              • #8
                Originally posted by Sergio View Post
                "In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".".
                Of course, the authors making such a claim are from Microsoft.

                Comment


                • #9
                  Originally posted by johnc View Post
                  X.Org: Constantly being improved.
                  Just loved your comment. Now updating my X.org..........

                  Comment


                  • #10
                    Originally posted by Sergio View Post
                    "In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".".
                    Both, Linus's and Microsoft's conclusions are logically flawed.
                    Open Source has more eyeballs, but each project is different and the code is different and the project members are different. Case in point - I wanna kill a few Qt devs because they're so nitpicky about the code I wanted to contribute.
                    Whether the code is open or closed source doesn't make it "better" in any way, not even security-wise, there's always half-truths that you can pick to support either claim. It's just like those idiots who say "(all) women are bla-bla" or those idiot women who say "(all) men are bla-bla", and in each case pick only the facts that support their views. Democrats vs republicans, etc, typical logical crap.

                    Comment


                    • #11
                      Originally posted by mark45 View Post
                      Both, Linus's and Microsoft's conclusions are logically flawed.
                      Open Source has more eyeballs, but each project is different and the code is different and the project members are different. Case in point - I wanna kill a few Qt devs because they're so nitpicky about the code I wanted to contribute.
                      Whether the code is open or closed source doesn't make it "better" in any way, not even security-wise, there's always half-truths that you can pick to support either claim. It's just like those idiots who say "(all) women are bla-bla" or those idiot women who say "(all) men are bla-bla", and in each case pick only the facts that support their views. Democrats vs republicans, etc, typical logical crap.
                      I agree.
                      It is commonly though that being open source makes it inherently secure (or, at least, MORE secure). I don't think this is necessarily the case; complexity of software development invalids this assumption. Also, I think that, although the code is there for anyone to review, in practice only a handful are people actually do it, and even fewer people have the authority or experience to actually find a bug or some potential flaw.

                      Comment


                      • #12
                        Originally posted by chuckula View Post
                        There weren't enough eyeballs because most people who dare to look at the abomination of the X source code tend to go blind (and clinically insane) very quickly. Note that it was an automated tool that found the bug
                        Not if they wear those cool shades like you just did

                        Comment


                        • #13
                          Originally posted by MartinN View Post
                          Not if they wear those cool shades like you just did
                          YEAAHHH!!! we don't get fooled again No, no!

                          Too late for chuckula's post, but it had to be done.

                          Comment


                          • #14
                            Originally posted by phoronix View Post
                            Phoronix: Another X.Org Security Bug Found, Dates Back To 1991

                            Another X.Org Security Advisory had to be publicly issued today to make known a buffer overflow in an X.Org library that's been present in every X11 release from X11R5 and the code was completed way back in 1991...

                            http://www.phoronix.com/vr.php?view=MTU2Mjg
                            Something nice to watch
                            https://www.youtube.com/watch?v=2l7ixRE3OCw

                            Comment


                            • #15
                              Originally posted by mark45 View Post
                              Both, Linus's and Microsoft's conclusions are logically flawed.
                              Yes/No/Maybe. In any case, the cited 'law' is the one made up by ESR.

                              Comment

                              Working...
                              X