Originally posted by trek
View Post
Announcement
Collapse
No announcement yet.
X.Org's Indirect GLX State Is Frightening Researchers
Collapse
X
-
- Likes 3
-
Originally posted by schmidtbag View PostYes, and I don't care. Are you aware of how many people actually take advantage of this?
So the exact number could be in hands of big security firms analyst but not in the wind, beside nothing stop private security analyst to actually patch this themeselves downstream(for a hefty sum) since they aren't obligated to keep compliance to the protocol in any way as long as they patch the target client. I've seen this behaviour a lot with other cases too.
- Likes 1
Comment
-
Originally posted by starshipeleven View Postthat's a bug, and I'm not sure Wayland has a role.
For Xorg it's like that by design (or lack thereof) since the thing came from ancient times where this wasn't an issue.
so it is definitively not an issue if a flaw was wrongly designed or wrongly written, it has to be fixed anyway!
- Likes 1
Comment
-
Originally posted by trek View Posta security flaw can be a bug or implemented by design, but I would focus on how it is exploitable:
A bug is a mistake, big or small, and in general it can be fixed with some swearing... I mean sweating behind a keyboard.
A design error is a HUGE mistake, and fixing it is non-trivial because half of your program was written to do X in the wrong way.
In many cases of design error you end up rewriting large portions of software.
This gets even worse when standards pour in, one of the reasons Xorg remained a horrible monster is that it has to provide FULL x11 protocol even if applications only use a tiny bit of it. It cannot just drop ancient crap none uses or do major changes to the API because it is branded as x11 protocol server.
To make an example, the "fix" for the design errors in Xorg/x11 is Weston/Wayland (and company). An entirely new system and protocol, that takes from Xorg only "learned lessons".
It's taking years and significant effort.
The same for the issue of fbdev driver you linked, which is an old crappy framebuffer driver, if none steps up to fix it though it will eventually get nuked and something better will replace it.Last edited by starshipeleven; 27 May 2016, 02:46 PM.
- Likes 1
Comment
-
Originally posted by trek View Post
- Likes 1
Comment
-
Originally posted by log0 View Post
Dude what are on on about? It is just disabled by default. It is not going anywhere.
A lot of people I know use indirect rendering to visualize data. If it goes off by default, it is highly possible some servers get updated with the feature off.
You could say it's the fault of the guy in charge of the server, but also some people use work computers at home with ssh, and use that to visualize data as well.
In that case they'll get the packages from ubuntu, or whatever, which would have the feature off. A lot of people aren't able to rebuild their own version of the Xserver to replace the package one.
Comment
-
I do somewhat understand the perspective here. Is Wayland over something like VNC or RDP not going to be good enough? If so, perhaps having an X12 might actually be worth it. Aside from the massive workload it would create on an already stretched thin community, I don't see why it would be ideal to make a protocol do something it's not meant to do, while X11 and Xorg need to be heavily revised in order to work in a secure and modern fashion.
Comment
-
Originally posted by mannerov View Post
A lot of people I know use indirect rendering to visualize data. If it goes off by default, it is highly possible some servers get updated with the feature off.
You could say it's the fault of the guy in charge of the server, but also some people use work computers at home with ssh, and use that to visualize data as well.
In that case they'll get the packages from ubuntu, or whatever, which would have the feature off. A lot of people aren't able to rebuild their own version of the Xserver to replace the package one.
If you're using a feature like indirect rendering, you can figure that out.
- Likes 3
Comment
Comment