On 2020-11-18 20:29, Demi M. Obenour wrote:
On 11/16/20 1:30 AM, Keith Packard wrote:
Alan Coopersmith <[email protected]> writes:
Since this is now public, we can open up the discussion of how to fix it in
public as well, and hope we can make more progress than the security list
did during the embargo phase.
I've got a proposed fix for this issue in two merge requests, one for
xcb and the other for the X server:
https://gitlab.freedesktop.org/xorg/lib/libxcb/-/merge_requests/10
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/546
These two changes enables code used on Mac OS X for all other platforms.
This code allows the X listen socket to be placed anywhere in the file
system. Systems which currently place that in /tmp are vulnerable to the
bug reported above. Placing this listen socket in a protected location
should prevent un-privileged applications from spoofing the X server for
the user.
Patches for ssh will be needed to close the security issue when
forwarding X connections through that.
Do those MRs also prevent clients and servers from using abstract
sockets? Those are inherently insecure, so support for them should
probably just be removed. Additionally, will libX11 also be updated?
Sincerely,
Demi
Hi!
Thank you for working on this!
I'm a bit unsure how this is to be handled on non-Linux systems.
FreeBSD doesn't have /run/, as suggested as a place for the socket
somewhere in the thread, for instance. I'm not sure I understand how
the socket and related files are created, and their life cycle. Does
the X server create them on startup, or are they created some other way?
With the proposed changes above, where will sockets be put, at which
stage, and with which permissions?
Thank you!
Regards
--
Niclas Zeising
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel
