X.Org
A X.Org security advisory was just announced. There is a bug in X.Org server 6.9/7.0 that allows unprivileged users to execute arbitrary code with root privileges. Apparently the bug was found when examining the results from the analysis that Coverity has been performing on a lot of open source projects (LWN article).
What’s interesting about this bug is that it illustrates how easy it is to make a tiny misstake in C that passes the compiler, doesn’t crash the program at runtime (the code is perfectly legal) but opens up the system for security attacks. They had a tiny typo in the code that checked the effective uid. Instead of checking the return value
if (geteuid() != 0) {...}
they missed the parenthesis which made the expression check if the function’s address was non-zero. Which it always is.
if (geteuid != 0) {...}
A blog entry from the guy that found the bug
http://blogs.sun.com/roller/page/alanc?entry=security_hole_in_xorg_6