Re: Xorg: Security past client auth.

To: debian-security@lists.debian.org
Subject: Re: Xorg: Security past client auth.
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 10 Jun 2012 17:46:29 -0400
Message-id: <[🔎] CANTw=MM5bRXg-WmF32He2Usbz49D7x31MO_M-6+SG3heVoBQww@mail.gmail.com>
In-reply-to: <[🔎] 4FD4C539.7040300@mikemestnik.net>
References: <[🔎] 4FD4C539.7040300@mikemestnik.net>

On Sun, Jun 10, 2012 at 12:03 PM, Mike Mestnik
<cheako+debian-security@mikemestnik.net> wrote:
> To be honest I can't say one way or another about weather there are
> security issues in X if one has malicious clients connected.
>
> However I'm not having success discussing these matters over at
> xorg-devel@lists.x.org.  I'm not the most likable person and I've even
> recently discovered that there a ppl who won't hesitate to pick on me.
> I can understand why ppl don't like me and that I have issues correctly
> expressing myself, even so I belive that what I'm trying to say is
> important.  I believe that a discussion and perhaps further
> documentation on the security of X and more importantly the future
> security of X is overdue.
>
> For the purposes of this discussion I'd like to use a vary loose
> definition for malicious clients, to include any client running on a
> remote(from the X server) system.  I believe that any system can be
> compromised and thus unknowingly be running a rootkit.  There should be
> layers of security that would limit the effectiveness of such an attack.
>  I belive doing so will cause Malicious Programmers and Users to be less
> likely to develop and deploy rootkits that have hooks into xclients to
> attack remote X servers.
>
> Therefore it's my assumption that a lack of security in this area would
> make the once Network Transparent Windows System, less useful over any
> network and promote the spread of any type of rootkit.
>
> This started after I read A LWN article about the [1]story of the XInput
> multitouch extension.  It seams that this extension may leak sensitive
> information to malicious clients.
>
> 1. http://lwn.net/Articles/485484/
>
> I wanted to discuss the issue with the grater X community, believing
> that what code to accept and reject as patches was indeed on-topic for
> xorg-devel@lists.x.org I [2]posted over there first.
>
> 2. http://lists.x.org/archives/xorg-devel/2012-June/031561.html
>
> I was eventually moderated and have lost my ability to speak in that
> forum.  This alone tells me that I need to keep trying, there is
> obviously some form of oppression going on here as me myself have been
> oppressed.

By default, the Debian X packages launch with "-nolisten tcp" to avoid
the inherent issues in xorg's tcp implementation.  You can however
still access remote X via ssh or other more secure means.

Actions speak loader than words, so if you can demonstrate the
weakness some existing unfixed issue, then by all means, that is a
much better way to communicate your message.

Best wishes,
Mike

Reply to:

References:
- Xorg: Security past client auth.
  - From: Mike Mestnik <cheako+debian-security@mikemestnik.net>

Prev by Date: Xorg: Security past client auth.
Next by Date: 订单 981
Previous by thread: Xorg: Security past client auth.
Next by thread: 订单 981
Index(es):
- Date
- Thread