X.Org Hit Hard By A Large Batch Of Security Vulnerabilities

Written by Michael Larabel in Linux Security on 9 December 2014 at 12:36 PM EST. 27 Comments
LINUX SECURITY
Last year a batch of X.Org libraries were hit by security vulnerabilities and the researcher who discovered these issues called X.Org security a disaster and even "it's worse than it looks". Today, a big batch of these X.Org vulnerabilities were made public. Many of these issues date back 20 years or more.

The X.Org Foundation announced publicly today, "Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way the X server code base handles requests from X clients, and has worked with X.Org's security team to analyze, confirm, and fix these issues."

These latest vulnerabilities can lead to a denial of service or lead to arbitrary code execution. These issues date back to the 80's and 90's -- thus affecting most X.Org running systems out there. The oldest of these vulnerabilities go back to 1987 with X11 core protocol requests.

These issues have been known privately for some time to the developers while today the advisories are going out publicly. There's a lot of them and just how bad the situation is depends upon your X.Org configuration. "How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension."

Among the vulnerabilities are an unchecked malloc in client authentication leading to a potential denial of service, integer overflows, and out of bounds access due to not checking lengths/offsets in requests. The issued CVEs include CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, and CVE-2014-8103.

Fixes for these X.Org issues are currently in Git form and should appear out in fully released form soon. More details via the big security advisory. NVIDIA also issued this statement concerning the vulnerabilities that affect their graphics drivers.
27 Comments
Related News
Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time
Landlock Security Module Adds File Truncation Support With Linux 6.2
Intel Preparing Virtual IA32_SPEC_CTRL Support For The Linux Kernel
Linux Moving Ahead With Enabling Kernel IBT By Default
Linux Still Eyes Better Security By Default Enabling Indirect Branch Tracking (IBT)
OpenSSL Outlines Two High Severity Vulnerabilities
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linux 6.1 Officially Promoted To Being An LTS Kernel
A Non-GNU Linux Distribution Built With LLVM & BSD Software Aims For Alpha Next Month
Work Revived On Parallel CPU Bring-Up To Boot Linux Faster On Large Systems/Servers
RustyHermit Delivers A Rust-Based, Modular Unikernel For MicroVMs
LibreOffice 7.5 Released With Improved Dark Mode, Better PDF Exporting
Asahi Gallium3D Driver Enables Mesa Shader Disk Cache Support
memtest86+ 6.10 Released With UEFI Secure Boot Signing, Headless EFI
FFmpeg 6.0 Will Be Big With AV1 Hardware Decoding, Many Other Features