Announcement

Collapse
No announcement yet.

X.Org Server Hit By New Local Privilege Escalation Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by jacob View Post

    Well in this instance it is the "mature" code that has security issues. Besides what you say isn't necessarily true, it all depends on what assumptions (if any) regarding security were made when the respective codebase were developed, and how they relate to present security threats. Taking that logic to the extreme, telnet was very "mature" when ssh appeared. It also didn't provide any security assurance whatsoever.
    The difference is frequency. Issues will be found in newer code mode frequently than they will be found in mature code.

    That said, this discussion occurred because of a security issue under the X11 threat model. Security issues under a new threat model are an entirely different discussion.
    Last edited by ryao; 07 February 2023, 03:23 AM.

    Comment


    • #12
      Originally posted by ryao View Post
      The difference is frequency. Issues will be found in newer code mode frequently than they will be found in mature code.
      That totally depends on the design...
      And you also don't give any backing data for this.

      You are literally saying that a new project implemented with experience and lessons learnt from the past is definitely worse than your 20 years old project which is unmaintained, contains heaps of legacy code and uses quite some hacks for certain functionalities to work.

      Comment


      • #13
        Originally posted by andyprough View Post
        They should replace it with a secure display server protocol that takes 20-30 years to roll out to most users. Because there's such an extreme sense of urgency. Any more than 30 years would be unacceptable.
        The speed of roll out isn't helped by a very unportable implementation.

        Comment


        • #14
          Didn’t wayland have a similar vulnerability last year?

          https://nvd.nist.gov/vuln/detail/CVE...#range-8384822

          I agree X.org should be replaced but not until it reaches feature parity with X.org. Last I recall color management was just introduced about 3-4 months ago with Weston 11.0 and still has a long way before it becomes stable for production use for content creators or researchers.

          Wayland seems like a good choice for gamers but gamers are a small portion of Linux desktop users. Programs that require a functional display server will just keep adding warnings in their programs. If anything lazy admins will probably move their users to Windows/macOS. If they are forced to change to a display server lacking features.

          https://github.com/Psychtoolbox-3/Ps...box-3/pull/765

          Comment


          • #15
            Do you want the working protocol that’s riddled with vulnerabilities or the protocol that’s been in development for 14 years and still doesn’t work. Make your choice.

            Comment


            • #16
              Originally posted by WannaBeOCer View Post
              Last I recall color management was just introduced about 3-4 months ago with Weston 11.0 and still has a long way before it becomes stable for production use for content creators or researchers.
              Major windows manager such as Gnome, Kde and sway don't use this reference implementation Weston.
              They refuse to participate as they have their own requirements: kde and Gnome uses its own implementation, sway also has its implementation that is designed to be reusable.

              It's likely they already got color management done.

              Originally posted by WannaBeOCer View Post
              Wayland seems like a good choice for gamers but gamers are a small portion of Linux desktop users. Programs that require a functional display server will just keep adding warnings in their programs. If anything lazy admins will probably move their users to Windows/macOS. If they are forced to change to a display server lacking features.

              https://github.com/Psychtoolbox-3/Ps...box-3/pull/765
              What?
              I use swaywm before switching to macbook air and it works fine for me and it's totally functional.
              Last edited by NobodyXu; 07 February 2023, 05:15 AM.

              Comment


              • #17
                Originally posted by NobodyXu View Post

                Major windows manager such as Gnome, Kde and sway don't use this reference implementation Weston.
                They refuse to participate as they have their own requirements: kde uses Qt and Gnome uses its own implementation, sway also has its implementation that is designed to be reusable.

                It's likely they already got color management done.



                What?
                I use swaywm before switching to macbook air and it works fine for me and it's totally functional.
                These two are still a long way away from being production ready and needed for content creation/research.

                https://gitlab.freedesktop.org/wayla...ge_requests/14

                https://gitlab.freedesktop.org/wayla...e_requests/103

                Edit: KDE: https://invent.kde.org/plasma/kwin/-/issues/11
                Last edited by WannaBeOCer; 07 February 2023, 03:57 AM.

                Comment


                • #18
                  That's why I strongly dislike when someone isn't always using { in if / else statements in C and C++ even for single lines. They should be mandatory.

                  Comment


                  • #19
                    Originally posted by WannaBeOCer View Post

                    These two are still a long way away from being production ready and needed for content creation/research.

                    https://gitlab.freedesktop.org/wayla...ge_requests/14

                    https://gitlab.freedesktop.org/wayla...e_requests/103

                    Edit: KDE: https://invent.kde.org/plasma/kwin/-/issues/11
                    Thanks and they indeed has a lot to be done for content creation/research, though not everybody is into that area and for a lot of people wayland is already production ready and good enough to use as a daily driver.

                    Feature parity also isn't necessary a good thing, since not every feature is required or has to be implemented in the same way.

                    Comment


                    • #20
                      Originally posted by shmerl View Post
                      That's why I strongly dislike when someone isn't always using { in if / else statements in C and C++ even for single lines. They should be mandatory.
                      I would even make not using curly braces illegal, but that's not what was going on here. to->button->xkb_acts = NULL;​ was actually missing.

                      Also, did no one notice this also needs X forwarding to function? Forwarding was hip like 20 years ago, but is it still enabled anywhere?

                      Comment

                      Working...
                      X