X11/X.Org Security In Bad Shape 179
An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being 'worse than it looks.' The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming."
Re:ANOTHER Phoronix post? (Score:5, Insightful)
I'm sorry. You were complaining about a news (Yes, news) story about a talk from CCC (Which is highly popular with, and immensely relevant for, nerds), posted on Phoronix (A website that devotes itself almost entirely to information, news and reviews on hardware and software from a Linux-based perspective), about a lot (120+) of security holes (Things that matter) in the X11/X.org servers (Which are the basis for (almost) all GUI-driven applications in Linux, *BSD and some of OSX).
By my count, that makes this story "News", "For Nerds", and "Stuff that matters". Oh, and the irony in posting that Phoronix is a "Link Farm" on /. is almost entirely palpable.
Fucking kill it already (Score:2, Insightful)
X had its day in the sun. I want a responsive and fast GUI with network connectivity being somewhere in 10th place. Make that socket/DRI/whatever they cooked up this year into a module so the rest of us don't suffer.
Re:Hotel 1 Bravo (Score:5, Insightful)
Some were certainly considered but prohibited by law. Due to crypto export restrictions, it wasn't until the limits on Open Source were loosened that X was legally permitted to have any kind of meaningful security. The non-export version still had to talk to the exportable edition, after all.
Yes, X was (and is) incredibly sloppy by today's standards and yes a lot of that was due to poor decisions in the days of X10. (Yes, boundaries are a decision. MIT could have chosen any sort of access control list system they wanted, with yet another library handling it. You could have then substituted whatever you wanted, so long as the API remained the same. Pretty much futureproof, no significant extra coding, easier to maintain than what they actually did.)
The coding flaws - of which there were many - were often detectable by tools as ancient as lint.
But you must also remember, X10 and X11 were never intended as products. They were reference implementations of a protocol, not finished products intended for actual use. The different vendors were always "supposed" to provide their own.
Re:Broken by design (Score:5, Insightful)
Re:Broken by design (Score:5, Insightful)
Doesn't everyone use X over an ssh tunnel anyway? I haven't used a raw X connection in over a decade.....
That doesn't help at all. He's talking about the fact that any X client can obtain information from any other X client on the same server. Tunneling the X clients through ssh doesn't help at all - it just causes the server to make all that information available over ssh.
Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.
Why is this sort of thing bad? Well, now not only can a browser exploit result in a script being able to sniff your keyboard traffic to other tabs in the same browser, it can also sniff your keyboard traffic to every other window on your display, regardless of where those clients are actually running. There are ways to block it, but nobody uses them as they are rather inconvenient (xterm probably still supports it though).
However, until we close the gap of by web browser being able to read my mail directory or modify my .bashrc, I think that X11 vulnerabilities are just the tip of the iceburg.
Re:The process (Score:5, Insightful)
No. I think it's time to throw X out. We'll make a new implementation, complete with everything I use (we'll plan to add stuff you want later), with all new code, because new code never has any security holes!
I can provide benchmarks if you want (Score:4, Insightful)
Worse than X so far in my experience.
My experience differs: RDP tunneled over SSH responds better than X11 over the same tunnel, especially with these newer X11 GUI toolkits that just push lots of pixels to the X server. And no, Windows 8 isn't involved at all; I'm using Remmina on Ubuntu to view Terminal Services on Windows Server 2003.
I really do not think you supplied any more here than "something works so the other thing sux".
If you need, I can perform benchmarks for you of Ubuntu viewing an application on another Ubuntu machine over X11 and Ubuntu viewing the Windows version of the same application over RDP.