[Bug 268963] x11-servers/xorg-server: 21.1.6 available

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 20 Jan 2023 15:08:22 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268963

--- Comment #7 from Jan Beich <jbeich@FreeBSD.org> ---
(In reply to Jochen Neumeister from comment #5)
> Since the update contains CVEs, can a vuxml entry be added as a patch?

https://vuxml.freebsd.org/freebsd/9fa7b139-c1e9-409e-bed0-006aadcf5845.html

Example attack vectors:
- "ssh -X" to an untrusted host (maybe running Linux)
- Run an untrusted GUI application inside jail (maybe via linuxulator)
- [indirect] Open an untrusted page in a vulnerable web browser (e.g.,
webkit2-gtk3, qt5-webengine)

Severity on FreeBSD:
- "Xorg" runs under root (via setuid bit) unlike Linux/OpenBSD
- No sandboxing in "Xorg" unlike OpenBSD or any web browser unlike
Windows/macOS/Linux/OpenBSD
- GNOME and KDE cannot use Wayland as a workaround (until xorg-server is
updated)
- "pkg audit" doesn't query CVE database (for more indirect attack vectors)

Disclaimer: I'm not familar with security analysis, not part of x11@ team and
don't use xorg-server.

-- 
You are receiving this mail because:
You are the assignee for the bug.