Security issues

Niclas Zeising zeising at freebsd.org
Thu May 30 08:49:45 UTC 2013 

On 2013-05-30 09:15, kaltheat at googlemail.com wrote:
> On Tue, May 28, 2013 at 12:45:50PM +0200, Niclas Zeising wrote:
>> On 2013-05-27 23:11, kaltheat at googlemail.com wrote:
>>>
>>> Hi,
>>>
>>> don't know if I'm right here, but there seem to be various security issues with 
>>> X-libs[1] and portaudit isn't complaining about it, it's not listed in vuxml
>>> either. I think it would be right to list the warnings.
>>
>> The issues are known, but not very serious.  We are waiting for proper
>> releases from freedesktop to not have to juggle a ton of local patches,
>> which quickly becomes a nightmare.
>> Regards!
>> -- 
>> Niclas
> 
> Why are these issues considered to be not very serious?
> I read somewhere that when xorg-server is compiled with setuid bit set an attacker
> could gain root access by using buffer overflow technique. I think that SUID is a
> default option.
> And why wouldn't it be fine if users get informed about this by portaudit or vuxml
> and they can decide on their own what they consider serious and what not?
> 
> I understand that patching could become a nightmare, but I would think that under
> certain circumstances it would be right to dream that nightmare. But where is
> that red line after that patching would be the right thing?
> 
> I don't want to blame anyone or call the expertise of port maintainers into
> question, I only want to learn.

The issues are in the client libraries of xorg.  Usually, the server
side, xorg-server, is more privileged than the client side, and
therefore already trusted.  In this case the client libraries trust what
the server sends, and does not do proper checking.  A rouge server can
therefore make the clients misbehave.  However, the clients are usually
not run by root, and therefore no privilege escalation is possible.  It
is also not very common to connect to an untrusted xserver, usually you
run it on the same machine as the clients.  There are of course exceptions.
Lastly, these security issues were brought to our attention very very
late in our "release cycle", which means there were no time to react.
The big xorg update patch was becoming increasingly hard to maintain,
and was also starting to block other updates.  We are currently working
on bringing in these fixes and will update the ports tree once this is done.
With regards to pulling in patches, this is done in the xorg-dev repo
for a few ports, but it is harder to maintain, especially since there is
dependencies between the security patches and other commits to the
various xorg git repos, and also between updates to different libraries.
Regards!
-- 
Niclas

More information about the freebsd-x11 mailing list