X Server Security Disaster: "It's Worse Than It Looks"
There's X.Org Server security vulnerabilities -- even for vulnerabilities going back two decades -- from time to time and in related components of the Linux graphics stack. Parts of the X.Org stack can be in fairly rough shape given the age of X11, but a very poor picture of it was painted at the Chaos Communication Congress. It was stated that the X.Org security is even worse than it looks.
At the 30th Chaos Communication Congress (CCC) last week in Germany, Ilja van Sprundel, a security researcher who previously reported X.Org vulnerabilities, gave a presentation. Covered in the presentation at the very well known CCC conference in Germany were client-side issues and then an entire half of the presentation devoted to the X.Org Server.
Among the quotes used were "GLX is a horrible demotivator! 80,000 lines of sheer terror." and "In the past couple of months I've found 120 bugs there, and I'm not close to done."
Those wanting to read more about the troubled state of the X.Org Server security can watch the CCC presentation video from the CCC.de web-site.
For those thinking its FUD or blown out of proportion, Oracle's Alan Coopersmith who has long been involved with X11/X.Org, was the one that originally shared this presentation on the xorg-devel list.
Alan added on the mailing list, "I think it's mostly accurate (there's a couple minor details to quibble with, and there's a bit about 10-15 minutes in everyone can fast forward through). His point about today's world being much different than when X was created, and nearly 30 year old hand written binary protocol parsing code not being the best idea, is much like the rationale for xcb's creation, but we've not been effective at getting transitioned to it. (We keep talking about using XCB to generate server-side protocol handling & byte swapping, but never have, and haven't made it possible for all the clients to move to XCB, since there's still a couple missing pieces.)"
Thankfully some of the issues should be addressed in moving to Wayland (or Mir). There's also ongoing bug-fixes and addressing of security issues in X.Org Server updates -- just last week X.Org Server 1.15 was released.
Latest Articles & Reviews
Latest Linux News
Most Viewed News This Week