14 DAY TRIAL // One of the most important features of the open source development community is its ability to self-correct, even if it takes a very long time. A number of issues in X servers have been corrected recently, and some of them were actually very old. The record holder is a bug introduced back in 1987.
There are not many pieces of old code still running in our Linux computers. The X server is probably one of the oldest, but it's also a piece of software that's constantly being worked on and improved. As it seems, not everything is about new features, sometimes it's also about fixing problems and the developers have just found a slew of vulnerabilities, some of them being quite old.
This is not the first time it happened. Devs find old problems all the time, in various other projects. The same happened a few months ago when someone identified a 15-year-old bug in OpenSSL. It's not all that uncommon, but most of the time it's a problem that didn't really cause any issues for a very long time and remained ignored.
X.Org X server vulnerabilities have already been fixed
This is open source and there is no dedicated team working constantly on the X server. In this case, all the vulnerabilities were identified by security researcher with IOActive, Ilja van Sprundel and his team analyzed, confirmed, and fixed these issues.
"Ilja's talk at the 30th Chaos Communication Congress (30C3) in Hamburg last year ('X Security: it's worse than it looks') gave a preview of these issues and discussed the general form of many of these, but did not disclose the exact details of them. The vulnerabilities could be exploited to cause the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution."
"How critical these vulnerabilities are to any given installation depends on whether they run an X server with root privileges or reduced privileges; whether they run X servers exposed to network clients or limited to local connections; and whether or not they allow use of the affected protocol extensions, especially the GLX extension," is noted in the X.Org Security Advisory.
The advisory details the identified vulnerabilities and there are a lot of them, quite a few from the '90s, and one from 1987. Most distros already have patches waiting to be installed, so just hit that upgrade button in order to get the necessary fixes in place.
