At the 30th Chaos Communication Congress (CCC) last week in Germany, Ilja van Sprundel, a security researcher who previously reported X.Org vulnerabilities, gave a presentation. Covered in the presentation at the very well known CCC conference in Germany were client-side issues and then an entire half of the presentation devoted to the X.Org Server.
Among the quotes used were "GLX is a horrible demotivator! 80,000 lines of sheer terror." and "In the past couple of months I've found 120 bugs there, and I'm not close to done."
Those wanting to read more about the troubled state of the X.Org Server security can watch the CCC presentation video from the CCC.de web-site.
For those thinking its FUD or blown out of proportion, Oracle's Alan Coopersmith who has long been involved with X11/X.Org, was the one that originally shared this presentation on the xorg-devel list.
Alan added on the mailing list, "I think it's mostly accurate (there's a couple minor details to quibble with, and there's a bit about 10-15 minutes in everyone can fast forward through). His point about today's world being much different than when X was created, and nearly 30 year old hand written binary protocol parsing code not being the best idea, is much like the rationale for xcb's creation, but we've not been effective at getting transitioned to it. (We keep talking about using XCB to generate server-side protocol handling & byte swapping, but never have, and haven't made it possible for all the clients to move to XCB, since there's still a couple missing pieces.)"
Thankfully some of the issues should be addressed in moving to Wayland (or Mir). There's also ongoing bug-fixes and addressing of security issues in X.Org Server updates -- just last week X.Org Server 1.15 was released.