Latest Round of Xorg Vulnerabilities Added Recently and Some Don’t Work Without SELinux Turned On.
The latest round of Xorg (X11) vulnerabilities to be patched were added within the last several years.
Out of half a dozen, the oldest ones were added in 2006, but many in 2011, 2012, or 2014.
Many of the defects might have been added by Red Hat employees.
They don’t specify which revision added them, only the release, however, Red Hat likes to complain that they’ve had most of the maintenance burden of Xorg “for years now” whenever the topic of Wayland, which doesn’t really work productively, comes up and they have to read the “Xorg is a mess and we have to do something and this is something” spiel.
This is the company that tells us we need to use Wayland, and which is mainly responsible for Wayland, which breaks everything and makes my computer impossible to use productively until I run the X11 session.
Honestly, Wayland is so f***ed that it causes more graphical glitching, session crashes, and power management issues and other annoyances than X11, which were supposedly the list of reasons X11 had to go, plus it also has no concept of screen savers, so I can’t use XScreenSaver with it. I’ve written a lot about why Wayland is in no sense of the word ready.
Jamie Zawinski said he no longer maintains XScreenSaver for the practical reasons we used to use screen savers for (to prevent burn in, although LCD/LED panels can still burn in).
For years now, the “Environmental Protection Agency” (Employment Prevention Agency) has been a party-pooper requiring the screen to turn off regardless of what the user wanted, because we need MOAR POWER to charge Teslas which won’t charge when it’s cold outside, or something. Or to “SAVE THE PLANET!” because of the sheer arrogance that the people responsible for overpopulation and environmental destruction are going to save it if the computer uses three less watts.
I think the real policy issue with IBM/RH’s war on screen savers is that a world dominated by mega-corporations has no use for art, or a well-educated public, or people who can think for themselves to any meaningful degree.
I don’t even have bizarre hardware, and Wayland is a big shitpile. Intel was promoting Wayland heavily and it doesn’t even work quite right on Intel’s graphics chipsets.
The only thing Wayland accomplished (Mission Accomplished) was stop and make everyone reinvent the wheel to the point of not getting much else done, just so that their software would do what it already did, with implementation gaps that are “not in scope” and reimplementing the same feature in different code (with different quirks) depending on which compositing manager your desktop environment runs in.
Two of the security vulnerabilities (CVE-2024-0409: SELinux context corruption and CVE-2024-0408: SELinux unlabeled GLX PBuffer) don’t work at all unless the user is running with SELinux turned on, which Fedora and Red Hat Enterprise Linux do.
SELinux is such an ungainly mess that it’s hardly possible to understand, and Fedora bumps the selinux-policy all the time because it’s still managing to cause a lot of trouble even more than two decades in.
Now it is actually adding security problems through the “security” policy for the X Server.
A while back, SELinux was patched to remove references to the United States National Security Agency, which originally wrote it. The Agency likes to spy on the entire world and “accidentally” bulk collect data about Americans, or “incidentally” collect it, and then look at the data, with only a secret court that basically only ever says yes to them supervising it.
Stephen Smalley updated his email address and "debranded" SELinux from "NSA SELinux" to simply "SELinux". We've come a long way from the original NSA submission and I would consider SELinux a true community project at this point so removing the NSA branding just makes sense.-Linux Kernel Mailing List
Ah yes, which community would that be? The Intelligence Community? IBM/Red Hat? Those are really the only people who have a lot of interest in SELinux. Most non-RH distributions don’t even have it or don’t even have any sort of “security modules” loaded by default, or use AppArmor.
I haven’t seen any evidence that there are major security problems that SELinux is saving real people from. It ticks a box, and in this case, it managed to make Xorg even worse just by being turned on. If IBM/RH cared about security, they wouldn’t be telling people to use RH in Microsoft Azure and AWS where the data breaches keep happening.
I’m just not sure this monthly panic about Xorg bugs is “organic”. Actually, it’s getting pretty Groundhog Day-ish.
I mean, the issues are being fixed. Lots of software has an old and complicated codebase that is difficult to understand and the source of constant bugs.
Also, some of the prior hysteria pointed out that some dated back into the 1980s and 1990s. (Windows routinely has security vulnerabilities this old and no big deal is usually made about them.)
By this example, we should delete Mozilla Firefox and even Linux itself because they too tick all those requirements for not being “secure”, or “modern” or something.
“Secure” and “Modern” are increasingly marketing buzz words, which translate to “Heinously bloated” and “under the control of someone else”, counter-respectively.
Typically, when someone starts throwing those words around to the point of abuse, I just start tuning out.
As always, patch your software. Nothing to see here.
BaronHK's Rants 