Announcement

Collapse
No announcement yet.

X.Org's Latest Security Woes Are Bugs In LibX11, Xserver

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.Org's Latest Security Woes Are Bugs In LibX11, Xserver

    Phoronix: X.Org's Latest Security Woes Are Bugs In LibX11, Xserver

    The X.Org/X11 Server has been hit by many security vulnerabilities over the past decade as security researchers eye more open-source software. Some of these vulnerabilities date back to even the 80's and 90's given how X11 has built up over time. The X.Org Server security was previously characterized as being even worse than it looks while today the latest vulnerabilities have been made public...

    http://www.phoronix.com/scan.php?pag...CVE-2020-14344

  • #2
    X11/Xorg are products of an ended era. As much as I love them, time has come to let them go and move to Wayland.

    Comment


    • #3
      Can't wait for more programs to properly support Wayland so they can be shipped as flatpak with the fallback-x11 flag set. There is much less attack surface in Wayland compositors and way more competition/diversity between implementations.

      Comment


      • #4
        I agree. The architecture of the Xserver is extremely difficult to secure. Move to a modern design -- Wayland.

        Xserver is a great piece of work and I have used it for decades. But it comes from a period in time when we didn't have hostile actors continuously trying to locate the tiniest security flaws and exploit them. Wayland greatly reduces the size of the attack surface making it far easier to secure.

        Comment


        • #5
          Originally posted by treba View Post
          Can't wait for more programs to properly support Wayland so they can be shipped as flatpak with the fallback-x11 flag set. There is much less attack surface in Wayland compositors and way more competition/diversity between implementations.
          Before waiting for programs to support Wayland, we need compositors to support Wayland properly. I tried it again yesterday, it's so much better now: instead of going back to X in 2 minutes, it took me almost 10 minutes this time

          Comment


          • #6
            Personally, I'd love if I could continue to use gnome-flashback with wayland (note, not Gnome Classic as that is nowhere near as responsive + stable on any system I've tried it on. The difference between the 2 is night and day.) Unfortunately, Gnome flashback uses metacity and metacity isn't wayland compatible, but mutter is and that is a possible avenue.

            For anyone who doesn't like Gnome 3 or has hardware limitations, Is there any mass interest in switching to gnome-flashback + mutter + wayland? Anyone know if anyone is diligently working on this setup behind the scenes?

            Comment


            • #7
              Originally posted by bug77 View Post

              Before waiting for programs to support Wayland, we need compositors to support Wayland properly. I tried it again yesterday, it's so much better now: instead of going back to X in 2 minutes, it took me almost 10 minutes this time
              KDE is quite behind, but Gnome works fine with Wayland.

              Comment


              • #8
                Unfortunately, until Cinnamon converts, I'm sticking with X.

                Comment


                • #9
                  Originally posted by Volta View Post

                  KDE is quite behind, but Gnome works fine with Wayland.
                  That depends on your perspective. To some of us, GNOME is behind in other ways, X11 or Wayland.

                  Comment


                  • #10
                    Originally posted by jonsmirl View Post
                    Wayland greatly reduces the size of the attack surface making it far easier to secure.
                    Wayland is just a protocol so it is beyond the scope of it to have "security issues" (same with X11). However all the many compositors containing independent implementations of a number of underlying systems that were traditionally provided by a single entity (Xorg Xserver) will likely contain issues. This fragmentation will also make it very hard to audit.

                    In summary, educate people and move back to the command line!

                    I wonder which is more secure by now? X11 on top of Wayland or X11 on top of Xorg? No denying that Wayland has been a good opportunity to shift some crusty code but it is *still* relatively young so hasn't received the vigorous testing.
                    Last edited by kpedersen; 07-31-2020, 11:11 AM.

                    Comment

                    Working...
                    X