X.Org Hit By New Round Of Security Issues, Multiple Libraries Affected

Written by Michael Larabel in X.Org on 4 October 2016 at 10:15 AM EDT. 5 Comments
Back in 2013 we heard how X.Org security is worse than it looks and how for a period there were many X.Org security issues. It's been a while since last seeing a number of X.Org security vulnerabilities come about at once, but that's changed with this morning's disclosure.

Courtest of OpenBSD developers, they have uncovered protocol handling issues in X Window System client libraries. This is on top of the earlier X.Org security disclosures.

Matthieu Herrb explained, "Most of these issues stem from the client libraries trusting the server to send correct protocol data, and not verifying that the values will not overflow or cause other damage. Most of the time X clients & servers are run by the same user, with the server more privileged than the clients, so this is not a problem, but there are scenarios in which a privileged client can be connected to an unprivileged server, for instance, connecting a setuid X client (such as a screen lock program) to a virtual X server (such as Xvfb or Xephyr) which the user has modified to return invalid data, potentially allowing the user to escalate their privileges."

Libraries found to be affected by this latest round of X.Org security issues include libX11, libXfixes, libXi, libXrandr, libXrender, XRecord, libXv, and libXvMC... Pretty much all of the core X.Org libraries you'll want to be updating. Fixes are available to address the range of poor validation of data from the X.Org Server; the changes are in Git while new releases of these key libraries will be available shortly.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week