X.org Query

Alan Coopersmith alan.coopersmith at oracle.com
Thu Aug 17 19:49:28 UTC 2017


On 08/17/17 07:13 AM, Bhawna.Sharma at wellsfargo.com wrote:
> Hello,
> 
> I have  few questions regarding X.org.
> 
> 1.Is X.org a product or a software? If not, what is it exactly?

X.Org is a non-profit organization which produces a couple hundred open source
software packages, most of which are part of the X Window System.  For more
complete answers, see:

https://www.x.org/wiki/
https://en.wikipedia.org/wiki/X.Org

> 2.Is there a fix available for the CVE-1999-0526 which is associated with x11 
> server ?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0526 lists this issue as
"An X server's access control is disabled (e.g. through an "xhost +" command)
  and allows anyone to connect to the server."

That is a usage & configuration issue, not a vulnerability in the software.

This would be like issuing a CVE that says if you set the permissions on a file
to be world readable, then anyone can read what's in it, and if you set it to
world writable, then anyone can modify the contents.

Recent versions of the X server from X.Org have changed the default to not allow
TCP connections, thus making it harder to configure the X server this way, but
users can still override that if they decide they need to use this mechanism.
(We recommend using ssh -X instead of direct TCP connections, and using user
  based or shared secret security over host based access controls, but some users
  have different needs in their environments.)

If the user absolutely insists on pointing a loaded gun at their own foot and
pulling the trigger, we cannot prevent them from having a very painful experience.

> 3.How is port 6000 and 6001 associated with x11?

The X11 protocol can be sent over a TCP connection to a remote computer.
When this is done, it uses a TCP port number of 6000 plus the display id.
Thus display id 0 (:0) would be port 6000, display id 1 (:1) would be 6001,
and so on.

-- 
	-Alan Coopersmith-               alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc


More information about the xorg mailing list