Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: X.Org Libraries Hit By Round Of Security Issues

  1. #1
    Join Date
    Jan 2007
    Posts
    15,117

    Default X.Org Libraries Hit By Round Of Security Issues

    Phoronix: X.Org Libraries Hit By Round Of Security Issues

    It was just last month that there was an X.Org Server security issue dealing with hot-plugging of input devices. Being announced today is a new round of security problems, this time multiple issues dealing with X.Org client libraries...

    http://www.phoronix.com/vr.php?view=MTM3NzU

  2. #2
    Join Date
    Jan 2008
    Posts
    299

    Default

    Big kudos to Alan for handling this. He's already patched a bunch of these and is streaming patches out for others.

  3. #3
    Join Date
    Sep 2012
    Posts
    289

    Default

    So they are still using strcpy() ?

  4. #4
    Join Date
    Jan 2013
    Posts
    1,116

    Default

    Quote Originally Posted by BO$$ View Post
    Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
    Feel free to fix bugs and security issues yourself, you are a programmer, feel entitled to tell others what they should work on and seem to have enough time at hand to troll around at Phoronix. So when can we see your contributions?

  5. #5
    Join Date
    Dec 2012
    Posts
    459

    Default

    For this to work (from what I take it), you would also need to modify on disk binaries to do this. Furthermore, if you take all the effort of using an unprivileged X server, then why not go the last (precious) mile and run an unprivileged client as well?

    I have been pondering for a while to use xscreensaver in combination with PAM to use luksSuspend and luksResume to suspend and resume my encrypted partition whenever I enable my screensaver (would be really kewl, no idea if my software appreciates that lol). That would have been the only scenario that I could think of (given that my X server is not privileged, which is (unfortunately) not the case).

    OR, I could use sudo and PAM (exec) and be save! =) .

  6. #6
    Join Date
    Oct 2009
    Posts
    2,122

    Default

    Quote Originally Posted by BO$$ View Post
    Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
    I prefer patched and patchable vulnerabilities to the only alternative. Remember that ignorance doesn't protect you.

  7. #7
    Join Date
    Dec 2012
    Posts
    459

    Default

    Quote Originally Posted by droidhacker View Post
    I prefer patched and patchable vulnerabilities to the only alternative. Remember that ignorance doesn't protect you.
    In reply to:

    Quote Originally Posted by BO$$ View Post
    Don't worry about it they're geniuses, nothing to worry about. Remember that Linux is invulnerable to security issues and just move along, nothing to see here.
    Still don't know how to interpret this...

    EDIT1: #6: Yes, I did pass Enlish in high school. It should be 'safe' instead of 'save'. Sorry!

  8. #8
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,186

    Default

    I think the news here is that X has an active security team

  9. #9
    Join Date
    Nov 2007
    Posts
    1,353

    Default

    And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.

    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.

  10. #10
    Join Date
    Jan 2013
    Posts
    1,116

    Default

    Quote Originally Posted by duby229 View Post
    And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.
    Even if the current code is patched in the most widespread desktop OS you would get the patch only on "Patch Tuesday", which maybe a month later.

    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
    Propagating the patches is the job of your distro's maintainers. If the patch gets not properly propagated to you then I would think about changing the distro.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •