Announcement

Collapse
No announcement yet.

XWayland 22.1.3 Released Due To XKB Security Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • XWayland 22.1.3 Released Due To XKB Security Vulnerabilities

    Phoronix: XWayland 22.1.3 Released Due To XKB Security Vulnerabilities

    Disclosed on Tuesday were two new X.Org Server security vulnerabilities concerning possible local privilege escalation and remote code execution. X.Org Server 21.1.4 was released with these mitigations to the XKB extension while XWayland is also vulnerable and has now been patched with XWayland 22.1.3...

    https://www.phoronix.com/scan.php?pa...2.1.3-Released

  • #2
    updated: https://www.youtube.com/watch?v=NeFdMvFFIts

    Comment


    • #3
      And here we all say Wayland is secure...

      (it is, but without XWayland... one day we might achieve that goal)

      Comment


      • #4
        A pure Wayland Os is not possible to realize. That's the matter. X11/xorg is becoming what intel cpus have become in the processors.
        Last edited by MorrisS.; 13 July 2022, 06:31 AM.

        Comment


        • #5
          Originally posted by MorrisS. View Post
          A pure Wayland Os is not possible to realize. That's the matter. X11/xorg is becoming what intel cpus have become in the processors.
          The biggest missing stuff for me is electron apps that use a shitty old version like discord(in the Arch AUR is a version that use a newer version but that is buggy sadly) and games. Not sure how good the wine wayland stuff is already. but you can have a basic office PC without the need for xwayland
          Last edited by Toggleton; 13 July 2022, 08:22 AM.

          Comment


          • #6
            Originally posted by Toggleton View Post

            The biggest missing stuff for me is electron apps that use a shitty old version like discord and games. Not sure how good the wine wayland stuff is already. but you can have a basic office PC without the need for xwayland
            It's time that new linux oses be developed in Wayland directly. Unlike Red Hat, the other Oses develop teams are not able to move on pure Wayland systems because of structural limitations. It's more simple to make a new linux operating system rather than to adapt it to a new grapihcal stack.
            Last edited by MorrisS.; 14 July 2022, 08:37 AM.

            Comment


            • #7
              Originally posted by Toggleton View Post
              The biggest missing stuff for me is electron apps that use a shitty old version like discord(in the Arch AUR is a version that use a newer version but that is buggy sadly) and games. Not sure how good the wine wayland stuff is already. but you can have a basic office PC without the need for xwayland
              I noticed the same thing with Chromium and Electron apps (e.g. VSCodium) on Sway with scaling where fonts are fuzzy. You can pass flags to force it to use Ozone and it works, but that is was not the default. It will get better, but had similar experience.

              Comment


              • #8
                Originally posted by tildearrow View Post
                And here we all say Wayland is secure...
                Wayland is, but its compositors will never be. At least X11 only had relatively few Xservers to audit.

                Comment


                • #9
                  We often see a patch to XWayland following the news of new CVEs discovered on X.Org, and it seems many people don't understand the implications on Wayland, or think Wayland is insecure because of XWayland, but that's usually not the case. The security vulnerability in X is caused by a bug, and the bug needs fixing even where it doesn't cause a security vulnerability, and that's all.

                  It goes like this: An OOB access bug in remote X, becomes a RCE (obviously). Then, an RCE in privileged X becomes an LPE (again, pretty obvious). The same bug exists in XWayland, and should be fixed, BUT it's not a security bug in XWayland because it's not a remote session, and it's not privileged. It could be a security concern in niche setups, but it's usually not in the general Linux desktop.

                  Comment


                  • #10
                    Originally posted by MorrisS. View Post
                    It's more simple to make a new linux operating system that to adapt it to a new grapahcal stack.
                    It seems you have no idea what you're talking about. It will be better if you keep such 'brilliant' ideas for yourself. You will not feel embarrassed in the future.

                    Comment

                    Working...
                    X