libX11 has multiple vulnerabilities


#1

Hey, is anyone able to advise whether it’s OK to port libX11 to 1.6.6.1?
libX11 1.6.5.1 has multiple vulnerabilities:
CVE: CVE-2018-14600
CVE: CVE-2018-14599
CVE: CVE-2018-14598
https://vuxml.FreeBSD.org/freebsd/fe99d3ca-a63a-11e8-a7c6-54e1ad3d6335.html

Thx.


#2

Few applications use Xlib directly; rather, they employ other libraries that use Xlib functions to provide widget toolkits: Few applications use Xlib directly; rather, they employ other libraries that use Xlib functions to provide [widget toolkits](https://en.wikipedia.org/wiki/Widget_toolkit.

And then, the other libraries have multiple vulnerabilities, and then, the toolkits and scripting frameworks have yet more vulnerabilities… etc. And then, Intel CPUs have multiple vulnerabilities :slight_smile:


#3

I’m surprised that there has not been more noise, at least where I look, on the Intel CPU backdoors. Complete bypass according to Toms Hardware who’s citing Christopher Domas at the Black Hat conference in Las Vegas.

“… direct ring 3 to ring 0 hardware privilege escalation … with unrestricted access to the x86.”


#4

It’s probably because there’s a fix for the meltdown and spectre flaws for Freebsd but they really should never have been there in the first place. It’s shoddy work on Intels part.


#5

I don’t think it’s “shoddy work”. I suspect it’s engineers were well aware of the potential risks but were ordered to shut the hell up and provide.

Because without these vulnerabilities Intel CPU’s performance would have been much less and that would have made competition (AMD) look comparatively better. I think Intel sacrificed security to performance initially knowingly and later-on thought that nobody would find out and just continued with the practise.


#6

That’s even worse to know about it and continue. I just gave them the benefit of the doubt though. I like to think that a business like that actually wants to release good products.


#7

Priority 1 for any business is to make money when that business is publicly traded it is there to make money for the shareholders and that is by law. Creating a good product is not their goal that is a side effect of their goal (which is to make money).


#8

strange as it may seem to some people, the primary business of business is to make money. Publicly traded or private.
I have no comment about Intel and the vulnerabilities.


#9

I recently updated my baseboard BIOS to the latest side-channel mitigation version.
For Spectre 2, it seemed I needed to manually set the variable hw.ibrs_disable false
sysctl hw.ibrs_disable=0
to prevent services from being able to disable the restricted speculation on-the-fly.
However, to persistently achieve the states:
sysctl hw.ibrs_active 1
sysctl hw.ibrs_disable 0
I needed to edit
/etc/sysctl.conf
with an addition
hw.ibrs_disable=0


#10

@tqfs A note, when I said backdoor I meant backdoor. This is an entirely different problem than the spectre etc holes.

Writeup:

Dark Hat Presentation (12 pages from the bottom):