[18418] in bugtraq
Re: Claimed vulnerability in GTK_MODULES
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Wed Jan 3 17:34:07 2001
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY"
Content-Disposition: inline
Message-Id: <20010103093229.A30555@citusc.usc.edu>
Date: Wed, 3 Jan 2001 09:32:29 -0800
Reply-To: Kris Kennaway <kris@FREEBSD.ORG>
From: Kris Kennaway <kris@FREEBSD.ORG>
X-To: Owen Taylor <otaylor@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <ybezoh8ej9q.fsf@fresnel.labs.redhat.com>; from
otaylor@REDHAT.COM on Wed, Jan 03, 2001 at 10:40:33AM -0500
--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Jan 03, 2001 at 10:40:33AM -0500, Owen Taylor wrote:
> What follows is the official GTK+ team position on this matter. (It
> can be found at http://www.gtk.org/setuid.html as well.) The summary
> is that we don't consider it a problem because writing set[ug]id
> programs with a GUI toolkit is simply a bad idea and not supported for
> GTK+.
Why not force the issue and abort in GTK startup if issetugid() (for
those platforms which have it)?
Kris
--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6U2ItWry0BWjoQKURAlhaAKDohtdIqLo12bEaucT0DoqHXnc7ggCfZgyP
PzmEozp9FH6p4+T8k7b85Bw=
=H5b2
-----END PGP SIGNATURE-----
--4Ckj6UjgE2iN1+kY--
