gabriel rosenkoetter on Fri, 25 Jan 2002 00:09:49 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: xfs (was Re: [PLUG] Debian and X)


On Thu, Jan 24, 2002 at 11:38:28PM -0500, kevin mudrick wrote:
> Anyway, why is xfs a security risk, as someone mentioned?  Or did I miss
> the part of the thread where that was discussed?

I said that, and it may no longer be true in XF86-4, but xfs
definitely does still open an unnecessary (unless you're actually
running a server for other machines, which almost no one does these
days) TCP port, I've definitely seen it running as root (though I
don't know that any of the Linux distributions in question install
it that way), and I've personally seen Solaris's xfs dump core on
bad input, which, as you'll know if you read Bugtraq, is a very
bad sign.

I don't have any specific things about XF86's xfs to point to as
bugs, but it goes against basic security principles. If it magically
fixes problems in other software, there is something broken about
that other software that goes against X/Open standards on how to
deal with fonts. The right fix is not "just run xfs" but to make the
third-party software behave correctly.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpOEFF8zRMrU.pgp
Description: PGP signature