Announcement

Collapse
No announcement yet.

X.Org Hit Hard By A Large Batch Of Security Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.Org Hit Hard By A Large Batch Of Security Vulnerabilities

    Phoronix: X.Org Hit Hard By A Large Batch Of Security Vulnerabilities

    Last year a batch of X.Org libraries were hit by security vulnerabilities and the researcher who discovered these issues called X.Org security a disaster and even "it's worse than it looks". Today, a big batch of these X.Org vulnerabilities were made public. Many of these issues date back 20 years or more...

    http://www.phoronix.com/vr.php?view=MTg1ODQ

  • #2
    Nvidia updated ALL currently drivers it seems, would be interesting to see a statement from AMD... I hope some Debian devs update the Nvidia drivers, i toyed around with fglrx 14.12 for some hs already.

    Comment


    • #3
      from a year ago
      https://www.youtube.com/watch?v=2l7ixRE3OCw

      Comment


      • #4
        Originally posted by Kano View Post
        Nvidia updated ALL currently drivers it seems, would be interesting to see a statement from AMD...
        Why do you think AMD Catalyst is affected just like nvidia? It is probably affected just like other opensource drivers without patched and not configured for security xorg, so distro xorg update should fix most of those nasties isn't it . Well unlike nvidia blobs who probably have more needs to give this statements because it supports xserver not just in Linux, but on other platforms like BSD & Solaris
        Last edited by dungeon; 12-09-2014, 03:35 PM.

        Comment


        • #5
          Originally posted by dungeon View Post
          Why do you think AMD Catalyst is affected just like nvidia? It is probably affected just like other opensource drivers without patched and not configured for security xorg, so distro xorg update should fix most of those nasties isn't it . Well unlike nvidia blobs who probably have more needs to give this statements because it supports xserver not just in Linux, but on other platforms like BSD & Solaris
          Because AMD puts out a proprietary blob, too, which is needed if one wants performance for gaming on newer hardware?

          Comment


          • #6
            These issues have been known privately for some time to the developers while today the advisories are going out publicly.
            if that was the case, they would have been long since fixed. how long were the developers aware ?

            Comment


            • #7
              Originally posted by bakgwailo View Post
              Because AMD puts out a proprietary blob
              And that 'blob' means what? If nvidia blob is afffected, that does not automatically mean all other blob drivers from any different companies are affected, they may have implement (or might have it broken in a good way ) indirect glx in a way it is not so vulnerable Some vendors who provide blob drivers may not have indirect glx implmented at all so they are not affected here

              Comment


              • #8
                Originally posted by yoshi314 View Post
                if that was the case, they would have been long since fixed. how long were the developers aware ?
                According to that NVIDIA statement:
                NVIDIA was informed of this issue by public advisement from X.Org participants on Oct 9, 2014

                Comment


                • #9
                  I suppose the Linux desktop marketshare is good for one thing, security through obscurity. While Xorg is a security disaster, I still have no qualms about running my Linux desktop with no anti-virus.

                  Still, Wayland can't come fast enough.

                  Comment


                  • #10
                    Originally posted by yoshi314 View Post
                    if that was the case, they would have been long since fixed. how long were the developers aware ?
                    For example on 16. september indirect glx is disabled in Debian, so if you use that and opensource drivers you are pretty much unaffected Even monts ago developers are aware you can do easy crash X, just starts some steam or other game which provide their own nasty (un)compatibility libraries And even many years ago some developers are awared when they make direct unanccelerated default in drivers Even when someone implemnts something 28. years ago and issue only triggers something today, but at those days it was a feature probably unused
                    Last edited by dungeon; 12-09-2014, 05:16 PM.

                    Comment

                    Working...
                    X