2y ago

X.Org Hit By New Security Vulnerabilities - Two Date Back To 1988 With X11R2

www.phoronix.com

Just a moment...

Made public today was CVE-2023-43785 as an out-of-bounds memory access within the libX11 code that has been around since 1996. A second libX11 flaw is stack exhaustion from infinite recursion within the PutSubImage() function of libX11... This vulnerability has been around since X11R2 in February of 1988.

Due to these issues coming to light, libX11 1.8.7 and libXpm 3.5.17 were released today with the necessary security fixes. More details on these latest X.Org security vulnerabilities via today's X.Org security advisory.

21 comments

--my-next-video-card-wont-be-nvidia
- Even if you have an nvidia card, it's... fine now? With a 1080Ti, and Plasma, I haven't really had any issues on the Wayland session, that aren't straight up KDE bugs
  
  Even if you have an nvidia card, it’s… fine now?
  Until the next NVidia-specific workaround is required.
  
  Still no VRR support which is likely a dealbreaker for many.
  
  Series 10 is safe to use in wayland?
  
  Same, am happily using an NVidia 3060 laptop with Wayland+Plasma. Playing BG3 and Guildwars2 on Proton+Xwayland. Got a Plasma panel freezing bug (that's applicable to non-Intel GPU's) that fortunately had a workaround so I'm fine.
  So for some use cases at least it's OK. They seem to be working more on Wayland now: In the next driver they're fixing a number of things bothering some people like v-sync and Vulkan on Prime. They also have a ticket in progress for nightlight (GAMMALUT support) but not sure what version it's headed for.
- --unsupported-gpu
This is the best summary I could come up with:
It was a decade ago that a security researcher commented on X.Org Server security being even "worse than it looks" and that the GLX code for example was "80,000 lines of sheer terror" and hundreds of bugs being uncovered throughout the codebase.
In 2023 new X.Org security vulnerabilities continue to be uncovered, two of which were made public today and date back to X11R2 code from the year 1988.
Made public today was CVE-2023-43785 as an out-of-bounds memory access within the libX11 code that has been around since 1996.
A second libX11 flaw is stack exhaustion from infinite recursion within the PutSubImage() function of libX11...
Two libXpm vulnerabilities were also disclosed today related to out-of-bounds reads and both of those date back to 1998.
Due to these issues coming to light, libX11 1.8.7 and libXpm 3.5.17 were released today with the necessary security fixes.
The original article contains 196 words, the summary contains 144 words. Saved 27%. I'm a bot and I'm open source!
FYI, Ubuntu/Pop!_OS have already pushed out updates.
Holy cats.
All the more reason to switch to Wayland

21 comments