X.org Servers Update Closes 2 Security Holes

X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too.

A batch of updates to X.org’s suite of X11 servers and components just appeared. Among the new features, there were also fixes for two security holes mentioned in an X.org Foundation security advisory, which covers CVE-2022-2319 and CVE-2022-2320.

Although the X window system is pretty old, it’s still everywhere, including on almost every xNix operating system that has a graphical desktop. Wayland users don’t get to be smug: they too rely upon XWayland, which is what lets them run most older apps. Together, these mean that X.org version 21.1.4 will be a necessary update for a lot of people, alongside XWayland version 22.1.3.

The flaws

The bugs were in the X Keyboard Extension, XKB. As is often the case, the ArchLinux wiki has a good explanation of what it does. It’s an integral part of keyboard handling on both X.org and in Wayland. They allowed arbitrary code execution, which is particularly bad news because it’s normal for Unix OSes to run the X server as root because it needs to access the computer’s hardware directly in order to set screen resolutions.

Thanks to new features such as kernel mode setting, which we talked about earlier this year, it is now possible to run X.org in “rootless” mode, and many distros do support this, including Ubuntu and Fedora. However, some popular display managers, such as LightDM, don’t support rootless X. The display manager is the program that lets Linux users log in graphically, and although Ubuntu has now switched to GNOME’s GDM, LightDM remains widely used, for instance it is the default display manager in Lubuntu, ElementaryOS, and Ubuntu Unity.

The security fixes are not the only new stuff: multiple other X.org subcomponents got updates too, including xclipboard and xmodmap. The latter is especially useful for setting up a Compose key.

Some others are still useful but maybe less often these days, such as xconsole. The X font server xfs has received an update along with xfontsel, but that isn’t very important these days as it’s been largely obsoleted by Xft.

Many X.org drivers have been updated too, including for Synaptics touchpads, plus Cirrus Logic, ATI Mach64, and Matrox cards. The notes for the keyboard-input driver mention something that’s more generally important and doesn’t get mentioned often enough, which is that the update removes Linux support. That matters because this driver “is primarily used with BSD, GNU Hurd, illumos, & Solaris systems.”

Yes, even in 2022, there is more to Unix than Linux. Linux is just one of many. Novell bought Unix Labs from AT&T in 1992 and donated the UNIX trademark to the Open Group. This was already a historical footnote when The Register mentioned it in passing 22 years ago. For 30 years, the name Unix hasn’t had anything to do with containing AT&T source code. It now means “passes the Open Group’s tests,” and Linux passed years ago.

That means that, among others, Linux is a UNIX™. While Wayland only runs on Linux and FreeBSD, X11 is everywhere. It’s still the basis of the graphical desktop on just about every other UNIX. X.org still matters, even today. ®

READ MORE HERE