Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 May 2013 09:15:24 +0200
From:      kaltheat@googlemail.com
To:        Niclas Zeising <zeising@freebsd.org>
Cc:        freebsd-x11@FreeBSD.org
Subject:   Re: Security issues
Message-ID:  <20130530071524.GA15626@sol>
In-Reply-To: <51A48ADE.1060503@freebsd.org>
References:  <20130527211100.GA5517@sol> <51A48ADE.1060503@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 28, 2013 at 12:45:50PM +0200, Niclas Zeising wrote:
> On 2013-05-27 23:11, kaltheat@googlemail.com wrote:
> > 
> > Hi,
> > 
> > don't know if I'm right here, but there seem to be various security issues with 
> > X-libs[1] and portaudit isn't complaining about it, it's not listed in vuxml
> > either. I think it would be right to list the warnings.
> 
> The issues are known, but not very serious.  We are waiting for proper
> releases from freedesktop to not have to juggle a ton of local patches,
> which quickly becomes a nightmare.
> Regards!
> -- 
> Niclas

Why are these issues considered to be not very serious?
I read somewhere that when xorg-server is compiled with setuid bit set an attacker
could gain root access by using buffer overflow technique. I think that SUID is a
default option.
And why wouldn't it be fine if users get informed about this by portaudit or vuxml
and they can decide on their own what they consider serious and what not?

I understand that patching could become a nightmare, but I would think that under
certain circumstances it would be right to dream that nightmare. But where is
that red line after that patching would be the right thing?

I don't want to blame anyone or call the expertise of port maintainers into
question, I only want to learn.

Regards,
kaltheat





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130530071524.GA15626>