# Lecture: X Security - It's worse than it looks



## getopt (Aug 22, 2014)

Having seen this presentation at 30C3 a/o 2014/12/29 I made my mind not touching xorg anymore until the situation has gotten better. This was expected to be midyear 2014. Although I could not find any information about the state of cleaning up the xorg server mess. 


> Ilja van Sprundel, the security researcher who reported the pile of
> client side security bugs that led to our big advisory in May, has
> given another talk on X security, this time at last week's
> 30th Chaos Communication Congress (30C3) in Hamburg, Germany.
> ...



Does someone have more information about that?


----------



## SirDice (Aug 22, 2014)

X has traditionally been a security nightmare. I don't think this has improved much in the past 15 years I've used it.


----------



## getopt (Dec 11, 2014)

Here is an update on the Xorg security mess cleanup, done by Ilja van Sprundel, a security researcher with IOActive.
Most of the issues are related to memory management, but Ilja also has some critics to QT- and GTK-developers. The oldest bug he found was from 1987 (!).

For more see http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/



> Mitigation
> 
> While the fixes cover all the cases currently known to X.Org, these are not the first issues in this area and are unlikely to be the last.
> 
> ...


----------



## Crivens (Dec 11, 2014)

I for one am looking forward to the 31C3, maybe there is a follow up session on this. That could be interesting.


----------



## wblock@ (Dec 20, 2014)

1.14 was just committed today.  The next version in testing is 1.16.  Watch http://blogs.freebsdish.org/graphics/.


----------



## wblock@ (Dec 20, 2014)

The problem is that X interacts with so many things, including the kernel.  The FreeBSD X11 team has added members and the rate of change has increased a lot over the last year.  For security or other questions, best to ask directly on the freebsd-x11 mailing list.


----------



## gofer_touch (Dec 20, 2014)

Why is a lesser privileged xorg not possible on FreeBSD (or other systems for that matter) in the manner in which it is done on OpenBSD? https://en.wikipedia.org/wiki/Xenocara


----------



## wblock@ (Dec 20, 2014)

KMS drivers require kernel support.  On FreeBSD, this is difficult because we have three different supported operating system branches with differing levels of kernel support for KMS, but only one ports tree that has to work with all of them.  Some older drivers no longer work with newer X11 servers.  So it's complicated...


----------

