Ilja van Sprundel, the security researcher who reported the pile of client side security bugs that led to our big advisory in May, has given another talk on X security, this time at last week's 30th Chaos Communication Congress (30C3) in Hamburg, Germany.
The video has been posted to http://media.ccc.de/browse/congress/2013/30C3_-_5499_-_en_-_saal_1_-_201312291830_-_x_security_-_ilja_van_sprundel.html The first half covers those client-side issues, as well as those higher in the stack in the toolkits. The second half talks about what he's been looking at on the server side since then. (Key quotes: "GLX is a horrible demotivator! 80,000 lines of sheer terror." and "In the past couple of months I've found 120 bugs there, and I'm not close to done." ) I think it's mostly accurate (there's a couple minor details to quibble with, and there's a bit about 10-15 minutes in everyone can fast forward through). His point about today's world being much different than when X was created, and nearly 30 year old hand written binary protocol parsing code not being the best idea, is much like the rationale for xcb's creation, but we've not been effective at getting transitioned to it. (We keep talking about using XCB to generate server-side protocol handling & byte swapping, but never have, and haven't made it possible for all the clients to move to XCB, since there's still a couple missing pieces.) -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - http://blogs.oracle.com/alanc _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
