[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Xorg: Security past client auth.

On Sun, Jun 10, 2012 at 12:03 PM, Mike Mestnik
<cheako+debian-security@mikemestnik.net> wrote:
> To be honest I can't say one way or another about weather there are
> security issues in X if one has malicious clients connected.
> However I'm not having success discussing these matters over at
> xorg-devel@lists.x.org.  I'm not the most likable person and I've even
> recently discovered that there a ppl who won't hesitate to pick on me.
> I can understand why ppl don't like me and that I have issues correctly
> expressing myself, even so I belive that what I'm trying to say is
> important.  I believe that a discussion and perhaps further
> documentation on the security of X and more importantly the future
> security of X is overdue.
> For the purposes of this discussion I'd like to use a vary loose
> definition for malicious clients, to include any client running on a
> remote(from the X server) system.  I believe that any system can be
> compromised and thus unknowingly be running a rootkit.  There should be
> layers of security that would limit the effectiveness of such an attack.
>  I belive doing so will cause Malicious Programmers and Users to be less
> likely to develop and deploy rootkits that have hooks into xclients to
> attack remote X servers.
> Therefore it's my assumption that a lack of security in this area would
> make the once Network Transparent Windows System, less useful over any
> network and promote the spread of any type of rootkit.
> This started after I read A LWN article about the [1]story of the XInput
> multitouch extension.  It seams that this extension may leak sensitive
> information to malicious clients.
> 1. http://lwn.net/Articles/485484/
> I wanted to discuss the issue with the grater X community, believing
> that what code to accept and reject as patches was indeed on-topic for
> xorg-devel@lists.x.org I [2]posted over there first.
> 2. http://lists.x.org/archives/xorg-devel/2012-June/031561.html
> I was eventually moderated and have lost my ability to speak in that
> forum.  This alone tells me that I need to keep trying, there is
> obviously some form of oppression going on here as me myself have been
> oppressed.

By default, the Debian X packages launch with "-nolisten tcp" to avoid
the inherent issues in xorg's tcp implementation.  You can however
still access remote X via ssh or other more secure means.

Actions speak loader than words, so if you can demonstrate the
weakness some existing unfixed issue, then by all means, that is a
much better way to communicate your message.

Best wishes,

Reply to: