November 2, 2025

X marks the mess

Article URL →HN comments →

X.org Security Advisory: multiple security issues X.Org X server and Xwayland

X hits security snags: fixes land, comments explode over 'design flaws' and Fil-C

TLDR: X.Org shipped urgent fixes for three bugs in the X server and Xwayland. Commenters split between “X is unsafe by design,” a heated Fil‑C debate (no, it’s not time travel), and questions about forks like X11Libre—underscoring why updating now matters for anyone running traditional Linux desktops.

X.Org just dropped fixes for three security bugs in the old-school X graphics system—think the thing that draws windows on many Linux desktops. The advisory says xorg-server 21.1.19 and xwayland 24.1.9 patch nasty memory mistakes (use-after-free) and a number overflow, with IDs like CVE-2025-62229. Found by Jan‑Niklas Sohn via Trend Micro’s Zero Day Initiative. But the comments stole the show: one user warned that letting untrusted apps talk to X is “asking for trouble” and joked Tcl/Tk apps can even receive commands over X. Ouch.

Then the thread veered into a spicy side quest: Fil‑C, a safer way to write C code, could it have prevented this? One camp says yes—it's designed to lock down ancient C, even if the code dates back to the ’90s. Another fired back with a sarcastic “so, time travel?” which led to a callout: stop straw‑manning the question. Cue memes about the “Fil‑C DeLorean” and whether retro code can be saved without rewriting everything.

Meanwhile, curiosity flared about forks like X11Libre: are they already mitigating these bugs, or just following upstream fixes? The crowd’s consensus: update now, and if you still rely on X, treat it like a loud roommate—keep it separated from untrusted guests. Read the X.Org advisory for the gritty details.

Key Points

  • X.Org disclosed three vulnerabilities affecting X.Org X server (prior to 21.1.18) and Xwayland (prior to 24.1.8).
  • Fixes are available in xorg-server 21.1.19 and xwayland 24.1.9, with specific commits referenced.
  • CVE-2025-62229: use-after-free in the X11 Present extension’s notification handling, introduced in Xorg 1.15.
  • CVE-2025-62230: use-after-free in Xkb client resource removal, introduced in X11R6.
  • CVE-2025-62231: value overflow in XkbSetCompatMap() due to unsigned short overflow, introduced in X11R6.

Hottest takes

"allowing any untrusted client to talk to your X server is asking for trouble just by design." — rwmj
"One of the use-cases of Fil-C is to prevent security issues in old C code that's much older than Fil-C itself." — jlokier
"maybe parent wasn't actually asking about time traveling but something else?" — embedding-shape

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.