Announcement

Collapse
No announcement yet.

More X.Org Security Vulnerabilities Published, Date Back To X11R5

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • More X.Org Security Vulnerabilities Published, Date Back To X11R5

    Phoronix: More X.Org Security Vulnerabilities Published, Date Back To X11R5

    There's been several high profile open-source security bugs uncovered recently from the well known OpenSSL heartbleed bug to an issue with the Linux kernel. Unfortunately, there's more to report today, but this time in the space of X.Org with multiple security issues that have been present going back to X11R5, which was released in 1991...

    http://www.phoronix.com/vr.php?view=MTY4OTA

  • #2
    Good thing everybody (read: only specialized thin client setups) runs the font server.

    Comment


    • #3
      I used to run a ttf font server maybe 10 years ago to allow legacy apps to use ttf fonts... This bug should be fixed, of course, however is not as severe as the title and the abstract suggest.

      Comment


      • #4
        Yes, it has some vulnerabilities, but Wayland/Weston no? are perfect? LOL... Wayland and Weston will have more and dangerous bugs

        Comment


        • #5
          Originally posted by philipmorris View Post
          Yes, it has some vulnerabilities, but Wayland/Weston no? are perfect? LOL... Wayland and Weston will have more and dangerous bugs
          You're funny!

          Comment


          • #6
            Originally posted by philipmorris View Post
            Yes, it has some vulnerabilities, but Wayland/Weston no? are perfect? LOL... Wayland and Weston will have more and dangerous bugs
            Wayland is an API; if it has any bugs, it'll cause interoperability, portability, or compatibility problems--security problems, not so much.

            Weston (and other Wayland implementations) will have bugs, but most software does. If you had security problems with Gnome, you still will, but with Wayland you won't have to worry about that other process (the X server) being a potential attack vector.

            Comment


            • #7
              Originally posted by philipmorris View Post
              Wayland and Weston will have more and dangerous bugs
              And you conclude this based on...what, exactly?

              Comment


              • #8
                X.org: even its bugs are amazing.

                Comment


                • #9
                  Originally posted by TheBlackCat View Post
                  And you conclude this based on...what, exactly?
                  First because is developed for be used primarily in smartphones and second because is developed in a race against canonical. And i know Wayland development begun before but righ now is a race
                  Last edited by philipmorris; 05-13-2014, 02:05 PM. Reason: primarily

                  Comment


                  • #10
                    Originally posted by philipmorris View Post
                    First because is developed for be used primarily in smartphones and second because is developed in a race against canonical.
                    Ignoring the fact that neither is actually true (it is true for Mir but not Wayland), there is no reason the first one would lead to bugs at all, and there is no reason the second would automatically lead to more bugs than something like xorg that is full of decades of legacy cruft that the current developers don't even understand.

                    Comment


                    • #11
                      Update recived But reading a libxfont Debian changelog from Janary, it says:

                      * Disable support for connecting to a font server. That code is horrible and full of holes.

                      Comment


                      • #12
                        I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

                        I wonder if we're past that now?

                        Comment


                        • #13
                          Originally posted by philipmorris View Post
                          First because is developed for be used primarily in smartphones and second because is developed in a race against canonical. And i know Wayland development begun before but righ now is a race
                          Good story, that one.

                          Comment


                          • #14
                            Originally posted by smitty3268 View Post
                            I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

                            I wonder if we're past that now?
                            well there always be security bugs, the important thing is take the step needed to fix them transparently, ofc note that always X has been a security issue since day 1, i even believe initial security designs for X systems were started even before the internet became popular and the API by today standards is horrid.

                            one thing to note is linux security bugs are harder to exploit and is way harder to compromise the entire system compared to windows(ofc if disable selinux set all your permissions to 0777 and set root password to 1234 the kernel can only do so much), for example as demostrated many times in security competitions is very easy from a browser to compromise the entire NT kernel security systems and even extract encryption keys, format drives, or even plant hidden services to the OS inside the Kernel itself masked as kernel internal processes. In contrast in Unices you normally can play hell with the service you cracked but get out of it and compromise the kernel is quite a nasty and only few has actually managed the feat, sure if you target a big name service like openssl is an scandal but the only actual service affected is openssl and related openssl compromised operations but for example won't allow you to bypass heimdal security or intercept a DRM render node or corrupt kernel file descriptor without an additional focused for those operations

                            Comment


                            • #15
                              Originally posted by smitty3268 View Post
                              I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

                              I wonder if we're past that now?
                              They missed one possibility:
                              Someone may write code that nobody understands, and publish them as "open" source software.

                              Comment

                              Working...
                              X