[Bug 2552] ssh -X and "ForwardX11Trusted no" break most applications, distros turn on "ForwardX11Trusted yes"

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Mar 14 19:33:07 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2552

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
Thank you for bringing this upstream. The fact that SECURITY extension
"breaks" applications is known problem for years, but when distros
basically disabled untrusted forwarding, there was no reason for
application developers to fix these problems. And now we are on the
same page, >10 years later.

But you miss one thing that changed. The XSECURITY extension is no
longer enabled by default on current systems (at least Fedora/RHEL) and
disabled upstream since 2007 in favour of X Access Control Extension
(XACE).

This caused CVE-2016-1908 (fallback from untrusted to trusted) when the
extension is missing. Current behaviour is that untrusted X11
forwarding requests fail in this case

My initial idea was to have a look into XACE, if it is mature enough
and if it would be able to work with our X11 forwarding, but
Wayland/xpra look also like an interesting way to go. I would be
interested in others insights on this issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list