Date: Thu, 30 May 2013 09:15:24 +0200 From: kaltheat@googlemail.com To: Niclas Zeising <zeising@freebsd.org> Cc: freebsd-x11@FreeBSD.org Subject: Re: Security issues Message-ID: <20130530071524.GA15626@sol> In-Reply-To: <51A48ADE.1060503@freebsd.org> References: <20130527211100.GA5517@sol> <51A48ADE.1060503@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 28, 2013 at 12:45:50PM +0200, Niclas Zeising wrote: > On 2013-05-27 23:11, kaltheat@googlemail.com wrote: > > > > Hi, > > > > don't know if I'm right here, but there seem to be various security issues with > > X-libs[1] and portaudit isn't complaining about it, it's not listed in vuxml > > either. I think it would be right to list the warnings. > > The issues are known, but not very serious. We are waiting for proper > releases from freedesktop to not have to juggle a ton of local patches, > which quickly becomes a nightmare. > Regards! > -- > Niclas Why are these issues considered to be not very serious? I read somewhere that when xorg-server is compiled with setuid bit set an attacker could gain root access by using buffer overflow technique. I think that SUID is a default option. And why wouldn't it be fine if users get informed about this by portaudit or vuxml and they can decide on their own what they consider serious and what not? I understand that patching could become a nightmare, but I would think that under certain circumstances it would be right to dream that nightmare. But where is that red line after that patching would be the right thing? I don't want to blame anyone or call the expertise of port maintainers into question, I only want to learn. Regards, kaltheat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130530071524.GA15626>