Remove xserver-xorg-legacy

Post your bugs here.
User avatar
ilu
Posts: 2072
Joined: 09 Oct 2013 12:45

Remove xserver-xorg-legacy

Postby ilu » 31 Oct 2018 11:37

xserver-xorg-legacy might make debian systems vulnerable to this bug: https://cve.mitre.org/cgi-bin/cvename.c ... 2018-14665 (and probably others too) because it allows xorg to be started with setuid root which is a security risk.

xserver-xorg-legacy is installed on my system but is not needed:

Code: Select all

apt-cache rdepends xserver-xorg-legacy
xserver-xorg-legacy
Reverse Depends:
  xserver-xorg
 |xserver-xorg-video-nvidia-legacy-304xx
where the dependency for xserver-org is only a "recommend" - It's needed for the old nvidia driver though but that should not compromise everybodies security.

I can't reproduce the bug on my system which is not surprising given my limited knowledge. Just to be sure I'd suggest users to check whether xserver-xorg-legacy is needed with

Code: Select all

apt remove -s xserver-xorg-legacy
and if that command doesn't show any dependency problems to repeat the command without "-s" (which means "simulate"). Obviously that's no option for users with that old type of nvidia card which seem to need root for xserver but those users (if there are any) should investigate an maybe upgrade.

User avatar
Arjen Balfoort
Site Admin
Posts: 8884
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Remove xserver-xorg-legacy

Postby Arjen Balfoort » 01 Nov 2018 06:59

I've removed it from my system and from the ISOs.
The nightlies are now without xserver-xorg-legacy.

I wouldn't like to remove it from the users' systems with solydxk-system. It might break something.


SolydXK needs you!
Development | Testing | Translations

kurotsugi
Posts: 2121
Joined: 09 Jan 2014 00:17

Re: Remove xserver-xorg-legacy

Postby kurotsugi » 01 Nov 2018 11:43

the package is needed for hardware compatibility so we still need it. on top of that the bug is already fixed. please correct me if i'm wrong, currently there's no valid reason for removing it. as a distro developer we want our beloved linux works on every hardware out there. we should never remove these kind of packages because "only few people use it". IMO these decision is better left to debian. debian already did all the dirty job so for us it's all benefit without any lose.

User avatar
Arjen Balfoort
Site Admin
Posts: 8884
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Remove xserver-xorg-legacy

Postby Arjen Balfoort » 01 Nov 2018 12:26

Hmmm, has Debian xserver-xorg-legacy installed in its ISOs?


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2072
Joined: 09 Oct 2013 12:45

Re: Remove xserver-xorg-legacy

Postby ilu » 01 Nov 2018 18:30

I have to admit that I did not check all of the cards on that list http://us.download.nvidia.com/XFree86/L ... chips.html but the newest I found was 10 years old, most of them 13-15 years. Maybe it's too early to remove the package but since everybody seems to agree that xorg has a tendency to be dangerous (that's why they are pushing wayland) I don't think allowing the possibility of root privileges is a good idea unless absolutely necessary. At least on SolydX we won't have wayland until ... short of never?

xserver-xorg-legacy is a dependency of the legacy nVidia driver and as such it's going to be installed with that driver, right? Don't we have solydxk-system to care for that? Or am I misunderstanding something?

kurotsugi
Posts: 2121
Joined: 09 Jan 2014 00:17

Re: Remove xserver-xorg-legacy

Postby kurotsugi » 02 Nov 2018 01:48

I hope I didn't create misunderstanding. what I want to say is that either "package A have a security issue" or "only a few user use package A" are not and should not be used as a reason to remova a package from our system. as for xserver-xorg-legacy, the security issue is have been resolved so it's not a valid reason anymore.

as a side note, when a security advise is released to public, the problem is usually already solved or at least have been mitigated. removing a package after a security advise got released is not the best way to do. in these kind of situation, first, we usually take a look into the security advise and see whether if the problem is already solved or not. if it isn't, the publication usually have some information about prevention/damage mitigation. in this kind of situation, removing a package should never be an option.

User avatar
ilu
Posts: 2072
Joined: 09 Oct 2013 12:45

Re: Remove xserver-xorg-legacy

Postby ilu » 02 Nov 2018 15:11

To clarify, my argument was: A package that allows xserver to be executed with suid root should never be on a system if not absolutely necessary. No matter whether a bug was found or not. The argument is: Package A unnecessarily opens up an additional attack vector.
as a side note, when a security advise is released to public, the problem is usually already solved or at least have been mitigated
I know this. And I always check the cve and bugs.debian.org first. Just as a sidenote: When the recent ghostscript vulnerability was announced the bugfix took about 2 weeks.


Return to “Bug control”

Who is online

Users browsing this forum: No registered users and 2 guests