X Server Security Disaster: "It's Worse Than It Looks"

Written by Michael Larabel in Linux Security on 31 December 2013 at 03:46 PM EST. 22 Comments
LINUX SECURITY
There's X.Org Server security vulnerabilities -- even for vulnerabilities going back two decades -- from time to time and in related components of the Linux graphics stack. Parts of the X.Org stack can be in fairly rough shape given the age of X11, but a very poor picture of it was painted at the Chaos Communication Congress. It was stated that the X.Org security is even worse than it looks.

At the 30th Chaos Communication Congress (CCC) last week in Germany, Ilja van Sprundel, a security researcher who previously reported X.Org vulnerabilities, gave a presentation. Covered in the presentation at the very well known CCC conference in Germany were client-side issues and then an entire half of the presentation devoted to the X.Org Server.

Among the quotes used were "GLX is a horrible demotivator! 80,000 lines of sheer terror." and "In the past couple of months I've found 120 bugs there, and I'm not close to done."

Those wanting to read more about the troubled state of the X.Org Server security can watch the CCC presentation video from the CCC.de web-site.

For those thinking its FUD or blown out of proportion, Oracle's Alan Coopersmith who has long been involved with X11/X.Org, was the one that originally shared this presentation on the xorg-devel list.

Alan added on the mailing list, "I think it's mostly accurate (there's a couple minor details to quibble with, and there's a bit about 10-15 minutes in everyone can fast forward through). His point about today's world being much different than when X was created, and nearly 30 year old hand written binary protocol parsing code not being the best idea, is much like the rationale for xcb's creation, but we've not been effective at getting transitioned to it. (We keep talking about using XCB to generate server-side protocol handling & byte swapping, but never have, and haven't made it possible for all the clients to move to XCB, since there's still a couple missing pieces.)"

Thankfully some of the issues should be addressed in moving to Wayland (or Mir). There's also ongoing bug-fixes and addressing of security issues in X.Org Server updates -- just last week X.Org Server 1.15 was released.
22 Comments
Related News
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
GhostRace Detailed - Speculative Race Conditions Affecting All Major CPUs / ISAs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Ubuntu Maker Canonical Announces New Collaboration With Qualcomm
Fedora 41 Looks To "-O3" Optimizations For Its Python Build
APT 2.9 Released: Debian's APT 3.0 To Have A New UI With Colors, Columnar Display & More
KDE's KWin Merges Wayland Explicit Sync Support
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Gentoo Linux Now An SPI Project