On 12/30/25 12:44, Vladimir Dergachev wrote:
On Tue, 30 Dec 2025, Alan Coopersmith wrote:
_XEatDataWords is a function introduced in the security patches described on
https://www.x.org/wiki/Development/Security/Advisory-2013-05-23/
Just want to add that the security issue affects libX11 and not Xserver. And
since libX11 is userspace it does not lead to privilege escalation.
Unless libX11 is being used in an application with raised privileges (like a
setuid program) - which is a bad idea, and developers should use privilege
separation between the GUI part of an application and the part that needs higher
privileges, but not everyone did, and if you're trying to run a program that
needs a 10+ year old version of the Xprint library, poor choices may have been
made. For instance, the programs included with the ancient CDE desktop had many
examples of vulnerabilities caused by running the GUI code in a setuid program.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
