Announcement

Collapse
No announcement yet.

X.Org Libraries Hit By Round Of Security Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.Org Libraries Hit By Round Of Security Issues

    Phoronix: X.Org Libraries Hit By Round Of Security Issues

    It was just last month that there was an X.Org Server security issue dealing with hot-plugging of input devices. Being announced today is a new round of security problems, this time multiple issues dealing with X.Org client libraries...

    http://www.phoronix.com/vr.php?view=MTM3NzU

  • #2
    Big kudos to Alan for handling this. He's already patched a bunch of these and is streaming patches out for others.

    Comment


    • #3
      So they are still using strcpy() ?

      Comment


      • #4
        Originally posted by BO$$ View Post
        Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
        Feel free to fix bugs and security issues yourself, you are a programmer, feel entitled to tell others what they should work on and seem to have enough time at hand to troll around at Phoronix. So when can we see your contributions?

        Comment


        • #5
          For this to work (from what I take it), you would also need to modify on disk binaries to do this. Furthermore, if you take all the effort of using an unprivileged X server, then why not go the last (precious) mile and run an unprivileged client as well?

          I have been pondering for a while to use xscreensaver in combination with PAM to use luksSuspend and luksResume to suspend and resume my encrypted partition whenever I enable my screensaver (would be really kewl, no idea if my software appreciates that lol). That would have been the only scenario that I could think of (given that my X server is not privileged, which is (unfortunately) not the case).

          OR, I could use sudo and PAM (exec) and be save! =) .

          Comment


          • #6
            Originally posted by BO$$ View Post
            Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
            I prefer patched and patchable vulnerabilities to the only alternative. Remember that ignorance doesn't protect you.

            Comment


            • #7
              Originally posted by droidhacker View Post
              I prefer patched and patchable vulnerabilities to the only alternative. Remember that ignorance doesn't protect you.
              In reply to:

              Originally posted by BO$$ View Post
              Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
              Still don't know how to interpret this...

              EDIT1: #6: Yes, I did pass Enlish in high school. It should be 'safe' instead of 'save'. Sorry!

              Comment


              • #8
                I think the news here is that X has an active security team

                Comment


                • #9
                  And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.

                  The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.

                  Comment


                  • #10
                    Originally posted by duby229 View Post
                    And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.
                    Even if the current code is patched in the most widespread desktop OS you would get the patch only on "Patch Tuesday", which maybe a month later.

                    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
                    Propagating the patches is the job of your distro's maintainers. If the patch gets not properly propagated to you then I would think about changing the distro.

                    Comment


                    • #11
                      Originally posted by duby229 View Post
                      And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.

                      The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
                      Since we know the name of the patcher its not a big deal to just watch the source repo for any of his recent commits and just apply them to individual distro's X server (or your own X server source tree if you want to get the fixes immediately). Another reason I like running Arch (or Gentoo) faster security fixes, no need to backport to older versions, just load up the new x.y.z+1 release

                      Comment


                      • #12
                        Originally posted by curaga View Post
                        I think the news here is that X has an active security team
                        Er yeah, between RHEL, SUSE, Debian, Solaris, the BSDs etc, that's fairly well covered ...

                        Comment


                        • #13
                          Originally posted by duby229 View Post
                          The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
                          We tried to give the good guys a two week head start over the bad guys, by sending the advisory draft and proposed patches to the distros @ openwall list before the advisory went public. There is no perfect solution here, and a lot of the current structure relies on good faith, but it's better than doing nothing.

                          And while there's a massive pile of patches here, it's not that massive of a hole - the primary risk is if you have users on your Linux/Unix box that you trust to run programs but not to have root on the box. This isn't a "anyone who can open a TCP connection to your box owns you now" sort of hole (at least not in any scenario we've thought of - unfortunately with lower-level library code, we don't know all the ways programs may be using it).

                          Comment


                          • #14
                            Originally posted by BO$$ View Post
                            Arch? Gentoo? Hard sell to people who don't see the OS as an end in itself.
                            I just use Arch so that I dont have to deal with reinstallations / worrying "Did I get the most recent update?" Also the AUR is a nice touch for loading basically any app I want, and keeping them updated fairly automatically. Gentoo though, I agree, thats more of an "OS as the end unto itself"

                            Comment


                            • #15
                              Originally posted by BO$$ View Post
                              Arch? Gentoo? Hard sell to people who don't see the OS as an end in itself.
                              Yes, but alternatively, consider Ubuntu: I'm running a two-year old installation and will never see these (or any other) patches.

                              But it is true that you get what you pay for.

                              Comment

                              Working...
                              X