17 votes

X.org: Local root escalation vulnerability (CVE-2018-14665)

6 comments

  1. [4]
    Deimos
    Link
    Looks like OpenBSD didn't receive any advance warning, and is currently affected: https://marc.info/?l=openbsd-tech&m=154050351216908&w=2

    Looks like OpenBSD didn't receive any advance warning, and is currently affected: https://marc.info/?l=openbsd-tech&m=154050351216908&w=2

    11 votes
    1. [2]
      minimaltyp0s
      Link Parent
      Yeah, there's a bit of a bun fight going on about this on other forums. Seems that OpenBSD can't/don't/won't honour embargoes on publishing vulnerability details and so people don't routinely...

      Yeah, there's a bit of a bun fight going on about this on other forums. Seems that OpenBSD can't/don't/won't honour embargoes on publishing vulnerability details and so people don't routinely share with them.

      It's one of those interesting scenarios where you can genuinely see both sides of the argument and genuinely see how each side considers the other to be unreasonable.

      7 votes
      1. MacDolanFarms
        Link Parent
        There's a common misconception that OpenBSD breaks embargoes, but that is simply untrue; OpenBSD refuses to agree to them, so cannot break them. To my knowledge OpenBSD will respect an embargo if...

        Seems that OpenBSD can't/don't/won't honour embargoes on publishing vulnerability details and so people don't routinely share with them.

        There's a common misconception that OpenBSD breaks embargoes, but that is simply untrue; OpenBSD refuses to agree to them, so cannot break them. To my knowledge OpenBSD will respect an embargo if they have agreed to it.

        3 votes
    2. apoctr
      Link Parent
      I think it's (sort of) resolved now in OpenBSD. There was something relating to X-Org available through syspatch, seems to have removed the setuid bit for X-Org. Broke starting X through...

      I think it's (sort of) resolved now in OpenBSD. There was something relating to X-Org available through syspatch, seems to have removed the setuid bit for X-Org. Broke starting X through startx/xinit, but after enabling xenodm all was good.

      2 votes
  2. [2]
    annadane
    Link
    Restarting the display manager is all that's needed after applying the fix, right? (Debian) No reboots?

    Restarting the display manager is all that's needed after applying the fix, right? (Debian) No reboots?

    2 votes
    1. s4b3r6
      Link Parent
      From what I'm reading, a restart of the Xserver should fix it.

      From what I'm reading, a restart of the Xserver should fix it.

      4 votes