Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: More X.Org Security Vulnerabilities Published, Date Back To X11R5

  1. #11
    Join Date
    Feb 2008
    Posts
    1,065

    Default

    Update recived But reading a libxfont Debian changelog from Janary, it says:

    * Disable support for connecting to a font server. That code is horrible and full of holes.

  2. #12
    Join Date
    Oct 2008
    Posts
    3,173

    Default

    I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

    I wonder if we're past that now?

  3. #13
    Join Date
    Jan 2013
    Posts
    55

    Default

    Quote Originally Posted by philipmorris View Post
    First because is developed for be used primarily in smartphones and second because is developed in a race against canonical. And i know Wayland development begun before but righ now is a race
    Good story, that one.

  4. #14
    Join Date
    Jun 2009
    Posts
    1,172

    Default

    Quote Originally Posted by smitty3268 View Post
    I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

    I wonder if we're past that now?
    well there always be security bugs, the important thing is take the step needed to fix them transparently, ofc note that always X has been a security issue since day 1, i even believe initial security designs for X systems were started even before the internet became popular and the API by today standards is horrid.

    one thing to note is linux security bugs are harder to exploit and is way harder to compromise the entire system compared to windows(ofc if disable selinux set all your permissions to 0777 and set root password to 1234 the kernel can only do so much), for example as demostrated many times in security competitions is very easy from a browser to compromise the entire NT kernel security systems and even extract encryption keys, format drives, or even plant hidden services to the OS inside the Kernel itself masked as kernel internal processes. In contrast in Unices you normally can play hell with the service you cracked but get out of it and compromise the kernel is quite a nasty and only few has actually managed the feat, sure if you target a big name service like openssl is an scandal but the only actual service affected is openssl and related openssl compromised operations but for example won't allow you to bypass heimdal security or intercept a DRM render node or corrupt kernel file descriptor without an additional focused for those operations

  5. #15
    Join Date
    Mar 2012
    Posts
    123

    Default

    Quote Originally Posted by smitty3268 View Post
    I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

    I wonder if we're past that now?
    They missed one possibility:
    Someone may write code that nobody understands, and publish them as "open" source software.

  6. #16
    Join Date
    Sep 2011
    Posts
    276

    Default

    Quote Originally Posted by philipmorris View Post
    Yes, it has some vulnerabilities, but Wayland/Weston no? are perfect? LOL... Wayland and Weston will have more and dangerous bugs
    Is any sw of much more complexity than "hello world" perfect? No.. Is weston vastly more simple/straightforward than X11? Yes. Is that a good thing from a software security standpoint? Yes. Was wayland developed in an era where security/threat model was very differnt than today? No. Was X11? Yes.

  7. #17
    Join Date
    Jan 2011
    Posts
    100

    Default

    Quote Originally Posted by smitty3268 View Post
    Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

    I wonder if we're past that now?
    Since Xorg is OSS, even if this took long, this bug was seen and fixed by someone who had no relationship whatsoever with who created it. If it wasn't OSS, this bug would stay unnoticed forever, unless the ghost of some developer from 1991 went back to his former office, took the secret X11 source code from some boxed set of floppy disks and started working on it.

    OSS gives you asymptotic correctness, closed source gives you indefinite exploitability.

  8. #18
    Join Date
    Jul 2013
    Posts
    224

    Default

    Quote Originally Posted by smitty3268 View Post
    I remember when somebody here spent dozens of posts trying to convince everyone the NSA was spying on us through proprietary software, and Linux was the only solution because they couldn't have access to any zero day exploits on linux, because no such bugs existed in open source software. Then they asked me to prove that a 0 day exploit existed, when i said that the NSA surely had some for OSS just like proprietary.

    I wonder if we're past that now?
    I don't think the whole NSA thing has ever been about zero day exploits in proprietary software but rather built in backdoors.

    Security holes exist because something is broken its like having a window on your house that doesn't shut properly. Backdoors in closed source are more like having the key to your house. Its less likely that open source has these deliberate backdoors.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •