Announcement

**johnc** · 10 February 2015, 08:18 PM

Just look at how amazing X.Org is: you can do network-transparent buffer overflows.

**Guest** · 10 February 2015, 09:47 PM

Originally posted by phoronix View Post

Phoronix: X.Org Server 1.17.1 Released To Fix Yet Another X Security Vulnerability

Keith Packard announced the release of X.Org Server 1.17.1 today to fix another new X11 Server security vulnerability...

http://www.phoronix.com/scan.php?pag....17.1-Released

Ouch. Sounds like the same mistake made with Heartbleed.

**michael-vb** · 11 February 2015, 03:58 AM

From the article:
News of another security vulnerability isn't a huge surprise as the X11 Server has been home to many security issues dating back many years and there's many issues to find.

Let's be honest, one could replace the words "the X11 Server" with the words "software written by humans" here. (And I wouldn't want to let generated code off too lightly either.)

**curaga** · 11 February 2015, 04:45 AM

Oh noes, if I run untrusted software said untrusted software could hurt me.

**BlackStar** · 11 February 2015, 06:05 AM

Originally posted by curaga View Post

Oh noes, if I run untrusted software said untrusted software could hurt me.

Oh look, someone can use a guest account to pwn your system without you ever realizing.

As long as we are using X, Linux desktops will remain worse security-wise than Mac OS or even Windows...

**danwood76** · 11 February 2015, 06:56 AM

Originally posted by BlackStar View Post

Oh look, someone can use a guest account to pwn your system without you ever realizing.

As long as we are using X, Linux desktops will remain worse security-wise than Mac OS or even Windows...

No.

Its just that with OSS these vulnerabilities are easier to find and are fixed out in the open.

This exploit is restricted to local software running on a local XServer, malicious software running in that local system you could easily just dump /dev/mem and read the exact same data. And the same can be achieved in Windows or OSX.

The main problem that Xorg has is that it is a huge software project with a lot of code that is over 20 years old.

**darkbasic** · 11 February 2015, 07:36 AM

Originally posted by johnc View Post

Just look at how amazing X.Org is: you can do network-transparent buffer overflows.

Comment of the year! XD

**halo9en** · 11 February 2015, 07:53 AM

Originally posted by BlackStar View Post

As long as we are using X, Linux desktops will remain worse security-wise than Mac OS or even Windows...

Yeah, sure... http://arstechnica.com/security/2015...ns-of-windows/

**RahulSundaram** · 11 February 2015, 10:18 AM

Originally posted by curaga View Post

Oh noes, if I run untrusted software said untrusted software could hurt me.

Yep. That is a problem and a real world one where people don't limit themselves to just a few repositories.

Also the X model makes it trivial to write keyboard loggers and snoop around. The best way to deal with that is sandboxing which will limit any damage that said untrusted applications can do and use Wayland.

https://github.com/alexlarsson/xdg-app looks promising