Multiple security issues in the X.Org X server and Xwayland disclosed, new versions released
Posted by Liam-DGOL@reddit | linux | View on Reddit | 24 comments
mina86ng@reddit
Anyone read through the vulnerabilities? The way I understand them it only really affects forwarded connections and application run in containers of some sort. In all other cases, this sounds like ‘program which has full access to all my data, can gain access to my data through X.Org exploit’.
natermer@reddit
X11 is a network protocol and XServer is a network server.
It is just relatively rare for people to use it as such because of, well, obvious reasons.
Also it would suck to have XWayland exploits be used to circumvent sandbox restrictions in Wayland.
So just be happy they are fixed. I am.
mina86ng@reddit
That’s what I meant by forwarded connection.
Wayland sandboxing restrictions still cannot be circumvented though, can they? As far as I understand, XWayland is its own Wayland client so it only has access to its data.
natermer@reddit
There is a single XWayland server running rootless in most desktop scenarios. So I figured the danger would be from one X Client to another.
mina86ng@reddit
X clients can already access each others data.
TheOneTrueTrench@reddit
In theory, you could set things up to run each X application in a separate XWayland server. It would probably be a nightmare to set up that way, but it would be possible.
syldrakitty69@reddit
Although its (almost) never set up this way anymore, there was a time when Xorg running as root was common.
CVE-2025-49180 is described as "integer overflow when computing size of allocation" which is a nice way of saying its probably a heap overflow bug, which makes it potentially exploitable.
There's also cases other than explicit app sandboxing where you want extra security. Firefox/Chromium/Electron have a sandbox process for handling media decoding, which has a handle to the X server. Anything that possibly results in information disclosure or arbitrary code execution then allows an attack to breach that sandbox.
LvS@reddit
The program might load data and that data can be specifically crafted to exploit bugs.
Like, you might be able to craft a cursor theme with 0 cursor images that some theming app then sends to the X server thereby allowing the theme author to exploit your machine.
mina86ng@reddit
That would require application which reads the theme and applies it to perform no validation on the theme though.
DamonsLinux@reddit
Already fixed in all releases of OpenMandriva: Cooker (dev), ROME (rolling release) and ROCK (fixed). Also for brave people fix for Xlibre coming soon.
AiwendilH@reddit
Wait...the "doesn't take any contributions and red hat wants to kill it" Xorg has a bugfix release already but the "totally maintained and the future of X11" fork xlibre doesn't? I pretty sure that's a surprise to absolutely no one.
samueru_sama@reddit
I'm actually surprised xlibre already has the fixes, I don't think they had prior notice.
Jegahan@reddit
He didn't fix it himself. XLibre just took the commits from X11.
samueru_sama@reddit
where did I say that he fixed it himself? I'm surprised they took the commits in less than 5 hours of the news coming out. Like is that too late? because that's the impression I get from the original comment.
Jegahan@reddit
If you want to start with this type of silly comment, I could ask the same: where did I say that you said he fixed it himself? That's not very productive though, is it?
You did imply that there was something impressive about xlibre "already having the fixes", which I thoroughly disagree with. You don't need "prior notice" to just merge somebody else work. That is something that even a novice programmer can do. Downvoting me for adding this context is just weird. But hey, you do you.
samueru_sama@reddit
I do find it impressive that they already fixed the issue, even if it is something simple the news have to come out, then the maintainer has to see it, take and push the fixes.
And yet it seems that isn't quick enough...
I did not downvote you!
Now I did downvote that previous comment it to prove you it wasn't me (since you will see the extra downvote), I will remove it later xd.
Jegahan@reddit
Then the timing of the comment and downvote was just unfortunate. If it truly wasn't you, I'm sorry to have accused you.
To me, it was just important to add that precision, given the BS that the Xlibre dev spread about his former X11 colleagues, whose code he is now still using.
crazy_penguin86@reddit
That's to be expected. If it's not some code that they've changed or altered, it's incredibly easy to pull in from the original. Add, fetch, merge, push. Done.
They even say it in the PR. There's one commit that's not directly taken from Xorg.
DamonsLinux@reddit
I don't intend to get into a discussion about xserver vs xlibre, but for the sake of clarity I just need to point out that these fixes are also available in the xlibre repository too.
Jegahan@reddit
Xlibre literally just took the commit from the X11 devs. Kinda funny after the guy claimed that:
ranixon@reddit
If they port them
InfiniteSheepherder1@reddit
Pretty sure the issue with the guys contributions was they were just bad he broke stuff and that irked the other devs, but ya the other devs also weren't interested in updating what they see as tech that is going away. It seems the vast majority of people who have developed on X hate it and talk about how bad it is. Wayland was made by old X devs who were tired of dealing with it.
natermer@reddit
And, more ironically, Fourdan is a Redhat employee who works on Gnome, Wayland, and XWayland components and was the creator of XFCE desktop.
ThatOneShotBruh@reddit
What do you expect when it's likely that the main developer of Xlibre caused these, lol.