Security issues
kaltheat at googlemail.com
kaltheat at googlemail.com
Thu May 30 07:15:40 UTC 2013
On Tue, May 28, 2013 at 12:45:50PM +0200, Niclas Zeising wrote:
> On 2013-05-27 23:11, kaltheat at googlemail.com wrote:
> >
> > Hi,
> >
> > don't know if I'm right here, but there seem to be various security issues with
> > X-libs[1] and portaudit isn't complaining about it, it's not listed in vuxml
> > either. I think it would be right to list the warnings.
>
> The issues are known, but not very serious. We are waiting for proper
> releases from freedesktop to not have to juggle a ton of local patches,
> which quickly becomes a nightmare.
> Regards!
> --
> Niclas
Why are these issues considered to be not very serious?
I read somewhere that when xorg-server is compiled with setuid bit set an attacker
could gain root access by using buffer overflow technique. I think that SUID is a
default option.
And why wouldn't it be fine if users get informed about this by portaudit or vuxml
and they can decide on their own what they consider serious and what not?
I understand that patching could become a nightmare, but I would think that under
certain circumstances it would be right to dream that nightmare. But where is
that red line after that patching would be the right thing?
I don't want to blame anyone or call the expertise of port maintainers into
question, I only want to learn.
Regards,
kaltheat
More information about the freebsd-x11
mailing list