X.org Security Advisory: multiple security issues X.Org X server and Xwayland (lists.x.org)
178 points by birdculture a day ago
dingdingdang 16 hours ago
Wonder how these play out against the https://github.com/X11Libre/xserver base, would be interesting to hear from that end as to how these things are handled. My understanding is that they address any sec issues that arise on x.org but it would be fascinating if the issues are already mitigated since XLibre updated their xserver port with 1000s of issues that were never addressed on the x.org side of things.
richard_todd 15 hours ago
On their github you can see all three changes identical to x.org's happened on October 28th (same day as the advisory). So, they were not already fixed, but the fixes were applied immediately.
forgotpwd16 5 hours ago
XLibre looks nice with lots of work happening in only 5mo.
immibis an hour ago
The problem with XLibre is political, not technical. When they came out they made a big deal of being the anti-woke free-speech no-vaccine-mandate alternative to woke cancel-culture Xorg, which instantly ruined their reputation before it even began.
throw83940404 13 hours ago
This project has way more serious problem than security!
alsothrowaway 9 hours ago
What problem does the project have, other than being a target of radical cancel culture?
asveikau 9 hours ago
asveikau 9 hours ago
That's the fork where the primary cause was to be "anti-woke", right? Honestly it seemed like it was just because that one guy was a little unbalanced, and he happened to be channeling that energy into an X server fork.
nofriend 9 hours ago
no the primary cause was that the main xorg project wasn't accepting the devs patches any more.
theamk 8 hours ago
asveikau 7 hours ago
themerone 10 hours ago
That project is a pipe dream. They don't have what it takes to continue X11 alive once X.Org pulls the plug.
mmcgaha 10 hours ago
I bet you are the life of the party. Seriously though, what makes you write that so matter of factly?
rwmj 20 hours ago
Good that people are finding and fixing these, but basically allowing any untrusted client to talk to your X server is asking for trouble just by design. (Bonus points if you have any Tcl/Tk apps running, where you can simply transmit commands for the program to run via the X server.)
jeroenhd 20 hours ago
There are plenty of setups where the X server runs at higher privileges/on a different host than the (partially trusted) application that might exploit the X server. This is a classic elevation of privileges vulnerability in those setups.
X11's practical absence of any security mechanisms for user sessions means you should probably not run any kind of low-trust UI program anyway, as there is no prevention of keystroke injection or screen recording, but that's a design flaw that will never be solved. That doesn't mean that EoP style attacks like these should be ignored or underestimated, though.
0xbadcafebee 18 hours ago
Why do people keep persisting this myth? X11 has authentication. You can either rely on filesystem permissions, or a shared secret. The same way thousands of other network servers work.
Any program you run on a computer (especially a Linux computer, which lacks modern OS security measures and has constant privesc kernel holes) exposes you to security flaws. There has yet to be any computer system designed that a hacker can't break out of. If you intentionally download and execute a program, you are rolling the dice, regardless of what the software is.
What's insane about all these discussions is that NOBODY IS HACKING X SERVERS. There's a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring designed to bolster the argument for Wayland's horrible designs.
zahlman an hour ago
zdragnar 17 hours ago
tapoxi 18 hours ago
jeroenhd 13 hours ago
jchw 17 hours ago
uecker 18 hours ago
X11 had the distinction between trusted and untrusted X11 clients basically forever. But nobody bothered to even spend the minimal amount of work to make this usable in practice^1. This had two reasons: 1.) It is irrelevant when you run the programs as the same user so nobody bothered (and no: Wayland does not help: https://github.com/Aishou/wayland-keylogger) 2.) It is more fun to simply pretend it is unfixable broken and write something new (something any good engineering manager should have stopped immediately).
¹. I used to use this and also fixed some bugs in some programs. The main problem when I last checked a decade ag was that some important extensions such as composite would need to be exposed to untrusted clients.
Jasper_ 17 hours ago
jeroenhd 3 hours ago
rich66man 18 hours ago
shrubble 12 hours ago
Solaris had Trusted Extensions for X11 which shipped with Trusted Solaris 8.
In 2000.
Solaris 10 had it built into the base OS and integrated into both the CDE and GNOME desktops they shipped. With OpenSolaris it was released as open source under the non-GNU CDDL license.
In November 2006.
Wayland was started in 2008.
mikkupikku 18 hours ago
I don't think I've seen X configured to run as root in probably 15 years. If anybody still does anything like that, they're literally asking for it.
_flux 18 hours ago
mrktf 19 hours ago
Digging deeper there are mechanisms for long time on internal X side (see https://www.x.org/releases/X11R7.6/doc/xorg-docs/specs/Xserv... ) - granted never seen it practically implemented.
And going to rabbit hole there are even proof of concept security implementation named Xnamespace for Xorg fork (needs polishing and much more patches but looks doable. see wip documentation: https://raw.githubusercontent.com/X11Libre/xserver/d2b60a3d6... )
lotharcable 19 hours ago
udev4096 17 hours ago
Any application can literally log EVERYTHING! It's good to see wayland getting better everyday
shevy-java 14 hours ago
Some oldschool legends are still fixing bugs in xorg.
Alan Coopersmith in particular. He even fixed a bug I reported. :)
(I forgot in which app it was but the bug report should be somewhere still; it is not old, perhaps 2 years ago or 3 years ago. The xorg app in question behaved oddly when doing "--version". I only noticed this because I wrote a ruby script that displays which version of programs are installed, and that one kept on making problems, whereas the others worked fine. After I reported it, Alan fixed this very quickly. I think it was some missing flag in the C program or something like that; right now I can not remember the name of the program ... my brain tries to say xrandr but I think it was not xrandr but a less frequently used program somewhere in the FTP listing ...)
ElectroBuffoon 3 hours ago
Keith Packard, another legend, was proposing X11 improvements in 2018. [0] He doesn't seem to be paid to work in X11 or Wayland, thus being free to float ideas he likes.
exasperaited 17 hours ago
> Bonus points if you have any Tcl/Tk apps running, where you can simply transmit commands for the program to run via the X server.
Back in 1996 the level of X integration in Tk was awesome; I had a shell tool that could make Netscape do stuff by firing MIT magic cookies at it.
In a contemporary setting, it's pretty horrifying.
ptx 11 hours ago
Didn't Netscape use Motif?
exasperaited 11 hours ago
bitwize 6 hours ago
These are all "no way to prevent this, say users of only language where this regularly happens" type problems though.
The send command in Tk is lel, but can easily be effectively closed by rebinding it to a no-op.
kevin_thibedeau 15 hours ago
Coverity is pretty good about finding these kinds of bugs. Is there a reason why a project as significant as Xorg isn't taking advantage of their gratis access for that tool?
josteink 15 hours ago
I think the short story is that the people who develop Wayland are the people who used to develop Xorg.
And they’d rather spend their energy on giving you a compelling reason to switch, rather than using it to add to the reasons for staying on a project they now consider obsolete.
You may disagree with their assessment, but you can’t blame them for how they decide to prioritize.
ekvintroj 11 hours ago
The main pain in linux is graphics. It's a shame.
goneri 10 hours ago
Xorg is indeed a lot of painful complexity. This being said, the software is not Linux specific, and for modern Linux distributions, it is more and more a legacy technology.
immibis an hour ago
Our chief pain is graphics... graphics and audio... audio and graphics... our two pains are audio and graphics... and wifi hardware support... Our three pains are audio, graphics, and wifi hardware support, and an almost fanatical devotion to the command line.... Our four... no... Amongst our pains... are such elements as graphics, audio.... I'll come in again.
shevy-java 14 hours ago
Don't kill xorg! :(
samtheprogram 19 hours ago
Would Fil-C have prevented the first or third?
pizlonator 9 hours ago
By my reading, it would have prevented all of them.
pizlonator 9 hours ago
Considering how nicely Weston with SW rendering runs in Fil-C, I bet that the X server will run fine in Fil-C, too.
Fil-C exhibits the lowest overhead in code that spends its time on primitive bits.
Fil-C exhibits the highest overhead in code that chases pointers.
I'm assuming X is the former. Weston seems to be.