30C3 video: "X Security: it's worse than it looks"

Alan Coopersmith alan.coopersmith at oracle.com
Tue Dec 31 10:11:29 PST 2013

Ilja van Sprundel, the security researcher who reported the pile of
client side security bugs that led to our big advisory in May, has
given another talk on X security, this time at last week's
30th Chaos Communication Congress (30C3) in Hamburg, Germany.

The video has been posted to

The first half covers those client-side issues, as well as those higher
in the stack in the toolkits.   The second half talks about what he's
been looking at on the server side since then.  (Key quotes: "GLX is
a horrible demotivator!  80,000 lines of sheer terror." and "In the past
couple of months I've found 120 bugs there, and I'm not close to done." )

I think it's mostly accurate (there's a couple minor details to quibble
with, and there's a bit about 10-15 minutes in everyone can fast forward
through).   His point about today's world being much different than when
X was created, and nearly 30 year old hand written binary protocol parsing
code not being the best idea, is much like the rationale for xcb's creation,
but we've not been effective at getting transitioned to it.   (We keep
talking about using XCB to generate server-side protocol handling & byte
swapping, but never have, and haven't made it possible for all the clients
to move to XCB, since there's still a couple missing pieces.)

	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

More information about the xorg-devel mailing list