On Sun, Jun 10, 2012 at 12:03 PM, Mike Mestnik <cheako+debian-secur...@mikemestnik.net> wrote: > To be honest I can't say one way or another about weather there are > security issues in X if one has malicious clients connected. > > However I'm not having success discussing these matters over at > xorg-de...@lists.x.org. I'm not the most likable person and I've even > recently discovered that there a ppl who won't hesitate to pick on me. > I can understand why ppl don't like me and that I have issues correctly > expressing myself, even so I belive that what I'm trying to say is > important. I believe that a discussion and perhaps further > documentation on the security of X and more importantly the future > security of X is overdue. > > For the purposes of this discussion I'd like to use a vary loose > definition for malicious clients, to include any client running on a > remote(from the X server) system. I believe that any system can be > compromised and thus unknowingly be running a rootkit. There should be > layers of security that would limit the effectiveness of such an attack. > I belive doing so will cause Malicious Programmers and Users to be less > likely to develop and deploy rootkits that have hooks into xclients to > attack remote X servers. > > Therefore it's my assumption that a lack of security in this area would > make the once Network Transparent Windows System, less useful over any > network and promote the spread of any type of rootkit. > > This started after I read A LWN article about the [1]story of the XInput > multitouch extension. It seams that this extension may leak sensitive > information to malicious clients. > > 1. http://lwn.net/Articles/485484/ > > I wanted to discuss the issue with the grater X community, believing > that what code to accept and reject as patches was indeed on-topic for > xorg-de...@lists.x.org I [2]posted over there first. > > 2. http://lists.x.org/archives/xorg-devel/2012-June/031561.html > > I was eventually moderated and have lost my ability to speak in that > forum. This alone tells me that I need to keep trying, there is > obviously some form of oppression going on here as me myself have been > oppressed.
By default, the Debian X packages launch with "-nolisten tcp" to avoid the inherent issues in xorg's tcp implementation. You can however still access remote X via ssh or other more secure means. Actions speak loader than words, so if you can demonstrate the weakness some existing unfixed issue, then by all means, that is a much better way to communicate your message. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mm5brxg-wmf32he2usbz49d7x31mo_m-6+sg3hevob...@mail.gmail.com
