X.Org Hit Hard By A Large Batch Of Security Vulnerabilities

Written by Michael Larabel in Linux Security on 9 December 2014 at 12:36 PM EST. 27 Comments
Last year a batch of X.Org libraries were hit by security vulnerabilities and the researcher who discovered these issues called X.Org security a disaster and even "it's worse than it looks". Today, a big batch of these X.Org vulnerabilities were made public. Many of these issues date back 20 years or more.

The X.Org Foundation announced publicly today, "Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues."

These latest vulnerabilities can lead to a denial of service or lead to arbitrary code execution. These issues date back to the 80's and 90's -- thus affecting most X.Org running systems out there. The oldest of these vulnerabilities go back to 1987 with X11 core protocol requests.

These issues have been known privately for some time to the developers while today the advisories are going out publicly. There's a lot of them and just how bad the situation is depends upon your X.Org configuration. "How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension."

Among the vulnerabilities are an unchecked malloc in client authentication leading to a potential denial of service, integer overflows, and out of bounds access due to not checking lengths/offsets in requests. The issued CVEs include CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, and CVE-2014-8103.

Fixes for these X.Org issues are currently in Git form and should appear out in fully released form soon. More details via the big security advisory. NVIDIA also issued this statement concerning the vulnerabilities that affect their graphics drivers.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week