Massive Number of Vulnerabilities Found in X.Org

The fact that one must watch out for integer overflow on a buffer size calculation for malloc, realloc, etc. should be no surprise to a thoughtful C programmer. It sounds like somebody just did an audit of an old code base looking for bad patterns and this is what came out of it. It sounds like great work on the part of the people doing audits/fixes but I'm not sure it's freakout material ("massive" seems a bit sensationalist).

On a parallel note, I remember several years ago seeing Microsoft spruiking its 'Windows 2008 Server Headless'. Running a windows server without the gui was mentioned right there in the MS-generated marketing material as reducing the attack surface, as 70% of all discovered Windows exploits couldn't be done without the GUI components.

He did a presentation on it that's much better reading:<p><a href="http://cansecwest.com/slides/2013/Assessing%20the%20Linux%20Desktop%20Security%20-%20Ilja%20van%20Sprundel.ppt" rel="nofollow">http://cansecwest.com/slides/2013/Assessing%20the%20Linux%20...</a>

Wow, that's huge! I'm wondering how this has not been noticed before.<p>I know, X11 is pretty old, but still, with the increasing awareness for security in the past, it's kind of funny nobody has ever checked such a prominent piece of software, not even in a Master's class.<p>Glad to see they are responding quickly.

&#62; The X.Org security team would like to take this opportunity to remind<p>&#62; X client authors that current best practices suggest separating code<p>&#62; that requires privileges from the GUI, to reduce the attack surface of<p>&#62; issues like this.<p>A naïve reading of this statement seems to suggest that no "modern operating system" built on X can be secure should they follow the X.Org team's advice because no privileged clients can exist. Perhaps this is a gross misunderstanding of mine with respect to how distros use X, but is it not possible to display to the user a privileged password input window that can't be tampered with? And, if said window can be made, wouldn't it be privileged and thereby susceptible to this attack unless they displayed it without using an X server?<p>Or would the X.Org security team suggest that operating systems run dual X servers, or many X servers, one for each privilege level, and then render one on top of another?<p>This mess has me quite confused as to the security model surrounding X.

Lame attempt to find setuid/setgid files which link to an X library:<p><pre><code> find /bin/ /sbin/ /lib* /usr/ /var/ /root /home -type f \( -perm -4000 -o -perm -2000 \) -exec /bin/sh -c 'ldd {} | grep -q X &#38;&#38; echo exists in {}' \; </code></pre> Tools that have to read the shadow file (like xlock and xscreensaver) are sometimes setuid root. Apparently this is not necessary though: <a href="http://www.shmoo.com/mail/bugtraq/nov98/msg00087.html" rel="nofollow">http://www.shmoo.com/mail/bugtraq/nov98/msg00087.html</a> (My slack box is set up this way)<p>kppp is setuid root to perform operations only root can do, but supposedly does it in a thread separate from GUI operations. Perhaps Linux Capabilities could be used instead and setuid can finally be thrown out the window?

These are actually vulnerabilities in Xlib, which is already well known to be pretty crufty. X11 security has always been a joke anyway, since basically any client can keylog the session at any point. There is some X security policy stuff, but it was never fully developed.<p>The interesting part here is that there's revived interest in <i>fixing</i> Xlib.<p>And for the people talking about Wayland being the future: Let's not forget that client-side window decorations are not exactly going to be a security improvement.

The headline is inflammatory and probably misleading, I thought it was regarded as poor form to editorialize by rewriting headlines.<p>Yet again, in threads like this there are lots of "never done anything" armchair quarterbacks pontificating about how to write "massive" (correct use of the word) software libraries without regard to the age of the software in question. X is really old, security concerns were different then. X preceded Linux by a long way and it was the increasing usage of Linux which made X itself achieve widespread adoption. Yes, it is kind of shocking that no one has scoured it for vulnerabilities so far but having looked at the code a long while ago I wouldn't want to have done it, it is <i>awful</i>.

The original title is clearer, because it's germane that the vulnerabilities are in the X client libraries rather than the X.Org server.

It is easy to dismiss these vulnerabilities from a perspective of a common desktop user. "I already have privileges on this box" or "any desktop user already has a way to escalate privileges."<p>But X11 is also used in process control settings where crappy ancient programs run on decrepit old machines with modern X.org servers used for displays. Would we be so dismissive if someone revealed a host of major vulnerabilities in VNC or RDP clients? (Probably. :))

Ilja van Sprundel, the guy who found these vulnerabilities, gave an interesting talk about "unusual bugs" at the CCC conference a couple of years ago. Might be interesting to some of you:<p>Video <a href="http://media.ccc.de/browse/congress/2006/23C3-1456-en-unusual_bugs.html" rel="nofollow">http://media.ccc.de/browse/congress/2006/23C3-1456-en-unusua...</a><p>Slides <a href="https://dspace.it.su.se/dspace/bitstream/10102/316/1/Unusual+bugs+23c3.pdf" rel="nofollow">https://dspace.it.su.se/dspace/bitstream/10102/316/1/Unusual...</a>

Has anyone done a security analysis on Weyland/Weston yet?

X.org? Still vulnerable!? I am shocked, shocked, to see these holes still there. There's nothing really new here, what needs to be new is the will for programmers to finally go and fix this stuff.

Let's bring Mir and Wayland already.

These seem like such basic errors. Not validating responses because you trust the software you interact with to behave is such a basic mistake that you'd think the people that work on the X server from X.Org would have learned not to do that long ago.

Shocker. Protocol issues. Time for another extension! Or to just shoot X.org in the head and quell the FUD surrounding Wayland.

Today's HN is sponsored by MIR