Announcement

Collapse
No announcement yet.

X.Org Server 1.20.3 Released To Fix New Security Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.Org Server 1.20.3 Released To Fix New Security Issue

    Phoronix: X.Org Server 1.20.3 Released To Fix New Security Issue

    We've known that the X.Org Server security has been a "disaster" (according to security researchers) and while many bugs have been fixed in recent years, not all of the security bugs date back so far in the decades old code-base. Out today is X.Org Server 1.20.3 to fix a new CVE issued for X.Org Server 1.19 and newer...

    http://www.phoronix.com/scan.php?pag....20.3-Released

  • #2
    Why would people have X.Org setuid'd anyway?

    Comment


    • #3
      Ever since Vulkan started making the rounds it seems like no one is talking about Wayland anymore.
      I have not been following the Linux community as closely as I use to... are there any viable X-Free distros out there yet?
      I was following this thing for years... by 2020 do you think we will finally have something?

      Comment


      • #4
        bpetty Most, if not all desktop environments on Wayland also has x.org as a mandatory dependency due to many applications still relying on xwayland. Eventually it's going to be an optional dependency rather than mandatory.

        Comment


        • #5
          Originally posted by bpetty View Post
          I have not been following the Linux community as closely as I use to... are there any viable X-Free distros out there yet?
          AFAIR, Debian Sarge shipped XFree So you can try it, if you have hardware supported by 2.4 kernel
          Last edited by dungeon; 10-25-2018, 12:38 PM.

          Comment


          • #6
            Originally posted by bpetty View Post
            Ever since Vulkan started making the rounds it seems like no one is talking about Wayland anymore.
            I have not been following the Linux community as closely as I use to... are there any viable X-Free distros out there yet?
            I was following this thing for years... by 2020 do you think we will finally have something?
            I don't believe any currently maintained ones still do. The last time I use X-Free was on SuSE 9.2 or something around that period.

            Comment


            • #7
              Originally posted by Brisse View Post
              bpetty Most, if not all desktop environments on Wayland also has x.org as a mandatory dependency due to many applications still relying on xwayland. Eventually it's going to be an optional dependency rather than mandatory.
              While X.org has had its security problems, in fact. Wayland is not more secure. This is due to the basic architecture. Wayland places the device driver and a video GPU hardware attack surface directly into user applications. This means any bug in the GPU will be exposed to the applications, and the possibility of applications through the GPU messing with something else. Also, wayland placing the window manager code into the display server ups the risk more. Having a stream based display protocol with a display server which has the video drivers and have the applications completely isolated from video drivers and the window manager isolated from drivers, is the best way to do things.

              Instead of Wayland, what we needed was a new implementation of a client server stream protocol, either X protocol or a new protocol, written in a secure language immune to memory management errors like buffer overruns and hanging pointers, perhaps rust, with well documented and commented code written with a focus on readability to improve security analysis.

              This COULD be addressed however on Wayland if the Wayland developers were to develop a Wayland driver for loading into the application that would take the place of a hardware driver, that would instead take any OpenGL and Vulkan calls and window management calls from the application code and send them as protocol commands over a stream to a server that would have the actual hardware drivers in it, and cause the display the apps to a Wayland display. This would also supply us with application<-> server network transparency where you can run an app on one computer and display it to another computer or display on an app by app basis (as opposed to whole desktop network transparency),. Offer SSL support and strong authentication mechanisms for good security when using over network.

              Comment


              • #8
                Originally posted by dungeon View Post

                AFAIR, Debian Sarge shipped XFree So you can try it, if you have hardware supported by 2.4 kernel
                Lol good one.

                Comment


                • #9
                  Originally posted by bpetty View Post
                  Ever since Vulkan started making the rounds it seems like no one is talking about Wayland anymore.
                  I have not been following the Linux community as closely as I use to... are there any viable X-Free distros out there yet?
                  I was following this thing for years... by 2020 do you think we will finally have something?
                  Sway is nearing 1.0, it's not technically X-free, in that it relies on XWayland for legacy reasons. But the point of it is to be Wayland-focussed. Also, it's not a distro, it's a DE, but I suppose you could run it on a distro that lets you choose the DE. They've just released their 1.0 beta.

                  Fedora is Wayland by default. Again, it uses XWayland, and you can still choose to use the Xorg session in gdm. But it's default state is Wayland-based.

                  Comment


                  • #10
                    Originally posted by jpg44 View Post

                    While X.org has had its security problems, in fact. Wayland is not more secure...
                    Erm, yeah it is more secure. It was built from the ground up with security in mind. You're just cherry picking one thing and theorising what that could lead to security issues.

                    Comment

                    Working...
                    X