[Security] multiple vulnerabilities in the X server - Slackware

This is a discussion on [Security] multiple vulnerabilities in the X server - Slackware ; Hello, X.Org has published a security advisory, which informs about several vulnerabilities in the X server, which could cause privilege escalation: http://lists.freedesktop.org/archive...ry/031918.html So far, there is no patch for Slackware available. Just publishing here, for the case, someone has missed ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: [Security] multiple vulnerabilities in the X server

  1. [Security] multiple vulnerabilities in the X server

    Hello,

    X.Org has published a security advisory, which informs about several
    vulnerabilities in the X server, which could cause privilege escalation:

    http://lists.freedesktop.org/archive...ry/031918.html

    So far, there is no patch for Slackware available. Just publishing here,
    for the case, someone has missed it and wants to create a new package on
    his own.

    CU

    Manuel (who hopes, we'll soon get a patch...)


  2. Re: [Security] multiple vulnerabilities in the X server

    On 2008-01-25, Manuel Reimer wrote:
    > Hello,
    >
    > X.Org has published a security advisory, which informs about several
    > vulnerabilities in the X server, which could cause privilege escalation:
    >
    > http://lists.freedesktop.org/archive...ry/031918.html
    >
    > So far, there is no patch for Slackware available. Just publishing here,
    > for the case, someone has missed it and wants to create a new package on
    > his own.
    >
    > CU
    >
    > Manuel (who hopes, we'll soon get a patch...)
    >


    Thanks for your good intentions.

    I just checked in the closet and under the bed. No malicious hackers
    there.

    Do you think they might be disguised as ordinary pieces of furniture?
    Or maybe they are in the basement dressed up to resemble earwigs
    and salamanders?

    I've seen a thousand security alerts like this, and ignored every one
    of them and all the supposed sage advice of the security experts and
    just exercised common sense.

    Never had a problem.

    Even if I did, and some malicious hacker took over my OS and even
    destroyed it, so what? I have backups.

    It really isn't worth having a tizzy fit and spending my life
    knocking myself out trying to plug alleged security holes every
    time some paranoid thinks I should.

    Near as I can tell the paranoid security experts and the malicious
    hackers are the same people....I don't trust either group.

    Just like I don't trust cops or criminals in the real world.

    As for X, I keep its networking functionality turned off (port
    6000 tcp) except when I'm expecting a remote user to connect.
    And even with it open I have to specifically make a door in
    my firewall for it, so I don't have much to worry about...

    No one I don't really trust is ever allowed to login to my box, here
    or remotely.

    Tom

    --
    calhobbit
    at gee mail dot com



    --
    calhobbit
    at gee mail dot com


  3. Re: [Security] multiple vulnerabilities in the X server

    Tom N wrote:
    >Even if I did, and some malicious hacker took over my OS and even
    >destroyed it, so what? I have backups.


    What if they take over your computer and do something illegal with it?
    Then you'll have some 'splaining to do.

    -Beej


  4. Re: [Security] multiple vulnerabilities in the X server

    Tom N wrote:
    > Even if I did, and some malicious hacker took over my OS and even
    > destroyed it, so what? I have backups.


    Good for you, you can enjoy your lonely life with your computer. You don't
    have to worry about if you, the single user on your computer will
    become root without permission.

    Others, who are responsible for many computers in a corporate or school
    environment will have to take messages like this more seriously. In those
    environments most users are not supposed to have root privilegies. Also,
    in those environments you must assume there are people who wants to gain
    information they shouldn't have.

    regards Henrik
    --
    The address in the header is only to prevent spam. My real address is:
    hc3(at)poolhem.se Examples of addresses which go to spammers:
    root@localhost postmaster@localhost


  5. Re: [Security] multiple vulnerabilities in the X server

    On 2008-01-25, Beej Jorgensen wrote:
    > Tom N wrote:
    >>Even if I did, and some malicious hacker took over my OS and even
    >>destroyed it, so what? I have backups.

    >
    > What if they take over your computer and do something illegal with it?
    > Then you'll have some 'splaining to do.


    Golly! What if a meteor fell out of the sky and hit me on the head?

    Paranoia has no limits. I don't play that foolish game.

    Wasn't I clear in my first post, Henny Penny?

    Tom

    --
    calhobbit
    at gee mail dot com


  6. Re: [Security] multiple vulnerabilities in the X server

    On 2008-01-25, Henrik Carlqvist wrote:
    > Tom N wrote:
    >> Even if I did, and some malicious hacker took over my OS and even
    >> destroyed it, so what? I have backups.

    >
    > Good for you, you can enjoy your lonely life with your computer. You don't
    > have to worry about if you, the single user on your computer will
    > become root without permission.
    >
    > Others, who are responsible for many computers in a corporate or school
    > environment will have to take messages like this more seriously. In those
    > environments most users are not supposed to have root privilegies. Also,
    > in those environments you must assume there are people who wants to gain
    > information they shouldn't have.


    And assume they have the skills to do it.

    And that no one is monitoring their activities.

    The first is rare and the second would be irresponsible.
    You can't patch every potential security hole, but you
    CAN monitor the users. And that's the responsibility
    of the administrators, is it not?

    Tom

    --
    calhobbit
    at gee mail dot com


  7. Re: [Security] multiple vulnerabilities in the X server

    Tom N wrote:
    >> Others, who are responsible for many computers in a corporate or school
    >> environment will have to take messages like this more seriously. In those
    >> environments most users are not supposed to have root privilegies. Also,
    >> in those environments you must assume there are people who wants to gain
    >> information they shouldn't have.

    >
    > And assume they have the skills to do it.


    Yes, of course that should be assumed.

    > And that no one is monitoring their activities.


    There are different ways to monitor users activities. Most of them are not
    considerad ethical correct.

    > The first is rare and the second would be irresponsible. You can't patch
    > every potential security hole, but you CAN monitor the users. And that's
    > the responsibility of the administrators, is it not?


    I would say that it would be the responsibility of the administrator to
    apply any patches distributed. I would also say that an administrotor who
    installs a monitor tool without first having this cleared from the board
    of the company might loose his job. There is a fine line between some
    monitor tools and spy tools.

    regards Henrik
    --
    The address in the header is only to prevent spam. My real address is:
    hc3(at)poolhem.se Examples of addresses which go to spammers:
    root@localhost postmaster@localhost


  8. Re: [Security] multiple vulnerabilities in the X server

    On 2008-01-26, Henrik Carlqvist wrote:
    > Tom N wrote:
    >>> Others, who are responsible for many computers in a corporate or school
    >>> environment will have to take messages like this more seriously. In those
    >>> environments most users are not supposed to have root privilegies. Also,
    >>> in those environments you must assume there are people who wants to gain
    >>> information they shouldn't have.

    >>
    >> And assume they have the skills to do it.

    >
    > Yes, of course that should be assumed.
    >
    >> And that no one is monitoring their activities.

    >
    > There are different ways to monitor users activities. Most of them are not
    > considerad ethical correct.
    >
    >> The first is rare and the second would be irresponsible. You can't patch
    >> every potential security hole, but you CAN monitor the users. And that's
    >> the responsibility of the administrators, is it not?

    >
    > I would say that it would be the responsibility of the administrator to
    > apply any patches distributed.


    What if the patches contain viruses or trojans or worms...

    Now you'll say that there are ways of making sure this doesn't happen

    And I'll say that all such safeguards can be gotten around by a clever
    hacker.

    Then you'll say....

    See, there's no end to the paranoia game.

    That's why I don't play it.

    > I would also say that an administrotor who
    > installs a monitor tool without first having this cleared from the board
    > of the company might loose his job. There is a fine line between some
    > monitor tools and spy tools.


    Sure is. But if I was responsible for the system, knowing the
    obvious: That malicious and skilled hackers can get through any
    security measures, then I'd be watching what people were doing, as
    unobtrusively and respectfully as possible, and I wouldn't even
    tell the board. What the hell do a bunch of technically illiterate
    bureacrats and politicians know?

    Except how to **** up anything they touch?

    And if there were well-known security holes in certain applications,
    then I'd use those for bait, in order to ferret out the crackers.

    The problem with relying on technology for security is that it
    is always created and configured maintained and run by people.
    No way can any technology every change that. So you watch the
    people.

    Or you lose the game, eventually.


    Tom

    --
    calhobbit
    at gee mail dot com


  9. Re: [Security] multiple vulnerabilities in the X server

    Tom N wrote:
    > What if the patches contain viruses or trojans or worms...


    In the case of Slackware we have mechanisms like gnupg to make sure that
    patch packages really come from the Slackware source. But you are right,
    you can never be 100% sure that a package doesn't contain some kind of
    backdoor.

    On the other hand, this risk does not only apply to patch packages but
    any package. Also, if you don't install any patch packages you will know
    for 100% sure that your system contain security holes. Some of those holes
    might have known exploits that can be used as backdoors into your system.

    regards Henrik
    --
    The address in the header is only to prevent spam. My real address is:
    hc3(at)poolhem.se Examples of addresses which go to spammers:
    root@localhost postmaster@localhost


  10. Re: [Security] multiple vulnerabilities in the X server

    On 2008-01-26, Henrik Carlqvist wrote:
    > Tom N wrote:
    >> What if the patches contain viruses or trojans or worms...

    >
    > In the case of Slackware we have mechanisms like gnupg to make sure that
    > patch packages really come from the Slackware source. But you are right,
    > you can never be 100% sure that a package doesn't contain some kind of
    > backdoor.
    >
    > On the other hand, this risk does not only apply to patch packages but
    > any package. Also, if you don't install any patch packages you will know
    > for 100% sure that your system contain security holes. Some of those holes
    > might have known exploits that can be used as backdoors into your system.


    Yeh. Yeh. How many times do I have to say this?

    Paranoia has no boundaries. You start playing that game and pretty soon
    you are hunched in a corner with a gun...After all, a murderous criminal
    could bust through the door at any moment carrying an automatic weapon.
    You just never know....

    A very wise man said, once: "There is nothing to fear but fear itself."

    You aren't turning me into a paranoid, Henrik.

    Tom


    --
    calhobbit
    at gee mail dot com


  11. Re: [Security] multiple vulnerabilities in the X server

    Tom N wrote:
    >Paranoia has no boundaries. You start playing that game and pretty soon
    >you are hunched in a corner with a gun...After all, a murderous criminal
    >could bust through the door at any moment carrying an automatic weapon.
    >You just never know....


    If you want to see people trying to break into your Internet-connected
    Linux box, get an IDS:

    http://en.wikipedia.org/wiki/Intrusion-detection_system

    http://www.snort.org/

    -Beej


+ Reply to Thread