| gabriel rosenkoetter on Fri, 25 Jan 2002 00:09:49 -0500 |
|
On Thu, Jan 24, 2002 at 11:38:28PM -0500, kevin mudrick wrote: > Anyway, why is xfs a security risk, as someone mentioned? Or did I miss > the part of the thread where that was discussed? I said that, and it may no longer be true in XF86-4, but xfs definitely does still open an unnecessary (unless you're actually running a server for other machines, which almost no one does these days) TCP port, I've definitely seen it running as root (though I don't know that any of the Linux distributions in question install it that way), and I've personally seen Solaris's xfs dump core on bad input, which, as you'll know if you read Bugtraq, is a very bad sign. I don't have any specific things about XF86's xfs to point to as bugs, but it goes against basic security principles. If it magically fixes problems in other software, there is something broken about that other software that goes against X/Open standards on how to deal with fonts. The right fix is not "just run xfs" but to make the third-party software behave correctly. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpOEFF8zRMrU.pgp
|
|