Open-source hunt digs up more flaws

Government-funded project finds holes in Ethereal and X Window System that pose a risk. But fixes are available.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A U.S. government-sponsored open-source bug hunt has resulted in more patches and security alerts.

Vulnerabilities have been found and fixed in X Window System and Ethereal, two popular open-source software packages, according to Coverity, the maker of the code analysis tools used in the bug hunt.

The X Window System is used as the foundation of the graphical user interface of many Unix and Linux systems, while Ethereal is a sniffer tool used to analyze network traffic.

Several bugs were found in Ethereal, which is used by network administrators and hackers alike. The latest version, released last week, includes fixes for a host of security holes, including several that were identified in the scan. These flaws could allow a full compromise of a system running the vulnerable software, Coverity said. Security monitoring company Secunia deems the Ethereal issues "highly critical."

"Many of these are remotely exploitable," Andy Chou, Coverity's chief scientist, said in an interview on Wednesday. "You can send data packets, exploit it and get whatever access Ethereal is running at."

The flaw identified in X could allow a local, nonprivileged user to gain full, root-level access to a vulnerable computer, Coverity noted. The flaw, for which a patch has been available since March, is rated "less critical" by Secunia.

The bug hunt is part of a three-year "Open Source Hardening Project," dedicated to helping make such software as secure as possible. In January, the U.S. Department of Homeland Security awarded $1.24 million to Stanford University, Coverity and Symantec to find vulnerabilities in open-source projects.

Developers have been quick to fix many bugs found as part of the program. More than 900 flaws were repaired in the two weeks after Coverity announced the results of its first scan of 32 open-source projects.