"A longstanding bug in the Linux kernel—quite possibly
since the first 2.6 release in 2003—has been fixed by a
recent patch, but the nearly two-month delay between the report and
the fix is raising some eyebrows. It is a local privilege
escalation flaw that can be triggered by malicious X clients
forcing the server to overrun its stack.
"The problem was discovered by Rafal Wojtczuk of Invisible
Things Lab (ITL) while working on Qubes OS, ITL's
virtualization-based, security-focused operating system. ITL's CEO
Joanna Rutkowska describes the flaw on the company's blog and
Wojtczuk released a paper [PDF] on August 17 with lots more
details. In that paper, he notes that he reported the problem to
the X.org security team on June 17, and by June 20 the team had
determined that it should be fixed in the kernel. But it took until
August 13 before that actually happened.
"In addition, the description in the patch isn't terribly
forthcoming about the security implications of the bug. That is in
keeping with Linus Torvalds's policy of disclosing security bugs
via code, but not in the commit message, because he feels that may
help "script kiddies" easily exploit the flaw. There have been
endless arguments about that policy on linux-kernel, here at LWN,
and elsewhere, but Torvalds is quite adamant about his stance.
While some are calling it a "silent" security fix—and to some
extent it is—it really should not come as much of a