Date: Fri, 20 Jan 2023 15:08:22 +0000 From: bugzilla-noreply@freebsd.org To: x11@FreeBSD.org Subject: [Bug 268963] x11-servers/xorg-server: 21.1.6 available Message-ID: <bug-268963-7141-FpXOSeTPnq@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-268963-7141@https.bugs.freebsd.org/bugzilla/> References: <bug-268963-7141@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268963 --- Comment #7 from Jan Beich <jbeich@FreeBSD.org> --- (In reply to Jochen Neumeister from comment #5) > Since the update contains CVEs, can a vuxml entry be added as a patch? https://vuxml.freebsd.org/freebsd/9fa7b139-c1e9-409e-bed0-006aadcf5845.html Example attack vectors: - "ssh -X" to an untrusted host (maybe running Linux) - Run an untrusted GUI application inside jail (maybe via linuxulator) - [indirect] Open an untrusted page in a vulnerable web browser (e.g., webkit2-gtk3, qt5-webengine) Severity on FreeBSD: - "Xorg" runs under root (via setuid bit) unlike Linux/OpenBSD - No sandboxing in "Xorg" unlike OpenBSD or any web browser unlike Windows/macOS/Linux/OpenBSD - GNOME and KDE cannot use Wayland as a workaround (until xorg-server is updated) - "pkg audit" doesn't query CVE database (for more indirect attack vectors) Disclaimer: I'm not familar with security analysis, not part of x11@ team a= nd don't use xorg-server. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268963-7141-FpXOSeTPnq>