X11/X.Org Security In Bad Shape - Slashdot

Slashdot

X11/X.Org Security In Bad Shape 179

Posted by Soulskill on Tuesday December 31, 2013 @07:05PM
from the i-blame-the-schools dept.

An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being 'worse than it looks.' The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming."

This discussion has been archived. No new comments can be posted.

X11/X.Org Security In Bad Shape

Search 179 Comments Log In/Create an Account

Comments Filter:

XWayland (Score:5, Informative)

by tepples (727027) writes: <{tepples} {at} {gmail.com}> on Tuesday December 31, 2013 @07:24PM (#45833391) Homepage Journal

Every X11 server needs a rendering target. For some X11 servers, this is a video card. For others, it is a virtual frame buffer that gets served through X11VNC or XRDP. And on machines running Wayland, the X11 server will render to the Wayland compositor [freedesktop.org]. Porting an application's GUI toolkit allows the application to bypass XWayland, but not all applications will be ported to Wayland immediately, especially proprietary software no longer under mainstream support and free software without a large enough user base. But once enough applications get ported, the more complex and less security-hardened parts of X11 will be paged in only while an X11 application is updating its window.

Parent Share
twitter facebook linkedin
Broken by design (Score:4, Informative)

by Misagon (1135) writes: on Tuesday December 31, 2013 @08:04PM (#45833635)

It is not the way X works is particularly secure to begin with. Once an app has a connection to the X server, it has full control over the world of window, pixmaps and events on the server including of course all other apps.
Not that I have any faith in Wayland or Mir being any better, its developers coming from the X world in the first place, I am sure that they will make their new shiny systems vulnerable in the same ways.

Share
twitter facebook linkedin
Re:Fucking kill it already (Score:4, Informative)

by fikx (704101) writes: on Wednesday January 01, 2014 @12:11AM (#45834783) Journal

All X11 apps "support" it...that's the beauty of X11 network functionality: apps don't HAVE to support it, it comes free.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

479 commentsAuthor Says It's Time To Stop Glorifying Hackers
445 commentsHeartbleed Coder: Bug In OpenSSL Was an Honest Mistake
323 commentsMore On the Disposable Tech Worker
303 commentsOpenSSL Bug Allows Attackers To Read Memory In 64k Chunks
301 commentsTheo De Raadt's Small Rant On OpenSSL

"But this one goes to eleven." -- Nigel Tufnel