Date: Thu, 30 May 2013 10:49:42 +0200 From: Niclas Zeising <zeising@freebsd.org> To: kaltheat@googlemail.com Cc: freebsd-x11@FreeBSD.org Subject: Re: Security issues Message-ID: <51A712A6.2040403@freebsd.org> In-Reply-To: <20130530071524.GA15626@sol> References: <20130527211100.GA5517@sol> <51A48ADE.1060503@freebsd.org> <20130530071524.GA15626@sol>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2013-05-30 09:15, kaltheat@googlemail.com wrote: > On Tue, May 28, 2013 at 12:45:50PM +0200, Niclas Zeising wrote: >> On 2013-05-27 23:11, kaltheat@googlemail.com wrote: >>> >>> Hi, >>> >>> don't know if I'm right here, but there seem to be various security issues with >>> X-libs[1] and portaudit isn't complaining about it, it's not listed in vuxml >>> either. I think it would be right to list the warnings. >> >> The issues are known, but not very serious. We are waiting for proper >> releases from freedesktop to not have to juggle a ton of local patches, >> which quickly becomes a nightmare. >> Regards! >> -- >> Niclas > > Why are these issues considered to be not very serious? > I read somewhere that when xorg-server is compiled with setuid bit set an attacker > could gain root access by using buffer overflow technique. I think that SUID is a > default option. > And why wouldn't it be fine if users get informed about this by portaudit or vuxml > and they can decide on their own what they consider serious and what not? > > I understand that patching could become a nightmare, but I would think that under > certain circumstances it would be right to dream that nightmare. But where is > that red line after that patching would be the right thing? > > I don't want to blame anyone or call the expertise of port maintainers into > question, I only want to learn. The issues are in the client libraries of xorg. Usually, the server side, xorg-server, is more privileged than the client side, and therefore already trusted. In this case the client libraries trust what the server sends, and does not do proper checking. A rouge server can therefore make the clients misbehave. However, the clients are usually not run by root, and therefore no privilege escalation is possible. It is also not very common to connect to an untrusted xserver, usually you run it on the same machine as the clients. There are of course exceptions. Lastly, these security issues were brought to our attention very very late in our "release cycle", which means there were no time to react. The big xorg update patch was becoming increasingly hard to maintain, and was also starting to block other updates. We are currently working on bringing in these fixes and will update the ports tree once this is done. With regards to pulling in patches, this is done in the xorg-dev repo for a few ports, but it is harder to maintain, especially since there is dependencies between the security patches and other commits to the various xorg git repos, and also between updates to different libraries. Regards! -- Niclas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A712A6.2040403>