Announcement

Collapse
No announcement yet.

X.Org Libraries Hit By Round Of Security Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.Org Libraries Hit By Round Of Security Issues

    Phoronix: X.Org Libraries Hit By Round Of Security Issues

    It was just last month that there was an X.Org Server security issue dealing with hot-plugging of input devices. Being announced today is a new round of security problems, this time multiple issues dealing with X.Org client libraries...

    http://www.phoronix.com/vr.php?view=MTM3NzU

  • #2
    Big kudos to Alan for handling this. He's already patched a bunch of these and is streaming patches out for others.

    Comment


    • #3
      So they are still using strcpy() ?

      Comment


      • #4
        Originally posted by BO$$ View Post
        Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
        Feel free to fix bugs and security issues yourself, you are a programmer, feel entitled to tell others what they should work on and seem to have enough time at hand to troll around at Phoronix. So when can we see your contributions?

        Comment


        • #5
          For this to work (from what I take it), you would also need to modify on disk binaries to do this. Furthermore, if you take all the effort of using an unprivileged X server, then why not go the last (precious) mile and run an unprivileged client as well?

          I have been pondering for a while to use xscreensaver in combination with PAM to use luksSuspend and luksResume to suspend and resume my encrypted partition whenever I enable my screensaver (would be really kewl, no idea if my software appreciates that lol). That would have been the only scenario that I could think of (given that my X server is not privileged, which is (unfortunately) not the case).

          OR, I could use sudo and PAM (exec) and be save! =) .

          Comment


          • #6
            Originally posted by BO$$ View Post
            Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
            I prefer patched and patchable vulnerabilities to the only alternative. Remember that ignorance doesn't protect you.

            Comment


            • #7
              Originally posted by droidhacker View Post
              I prefer patched and patchable vulnerabilities to the only alternative. Remember that ignorance doesn't protect you.
              In reply to:

              Originally posted by BO$$ View Post
              Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
              Still don't know how to interpret this...

              EDIT1: #6: Yes, I did pass Enlish in high school. It should be 'safe' instead of 'save'. Sorry!

              Comment


              • #8
                I think the news here is that X has an active security team

                Comment


                • #9
                  And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.

                  The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.

                  Comment


                  • #10
                    Originally posted by duby229 View Post
                    And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.
                    Even if the current code is patched in the most widespread desktop OS you would get the patch only on "Patch Tuesday", which maybe a month later.

                    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
                    Propagating the patches is the job of your distro's maintainers. If the patch gets not properly propagated to you then I would think about changing the distro.

                    Comment

                    Working...
                    X