[18427] in bugtraq
Re: gtk+ security hole.
daemon@ATHENA.MIT.EDU (Bryan Porter)
Thu Jan 4 14:49:39 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <AAB5DEC592C7B84CA4A102978BDFFD5A0935A2@exchange.private.swpnet.com>
Date: Wed, 3 Jan 2001 15:30:10 -0600
Reply-To: Bryan Porter <bporter@GTW.NET>
From: Bryan Porter <bporter@GTW.NET>
X-To: Robert van der Meulen <rvdm@CISTRON.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
I'm sorry, but this seems a bit much for me. My car has tires, and because
the tires are kind of bad and over-engineered, I should'nt drive over 10MPH
because they might explode? What? Fix the tires. Same thing here.
"Don't make GTK+ program suid/setgid because it's based on another project
with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
suck because we bought cheap rubber." What?
Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
then it is horribly broken. It's a graphic library for christs sake. And, if
it so full of spaghetti code that it can't easily be fixed, then trash it.
But the excuses given are ridiculous, period. No professional project would
ever stand for this level of ineptitude. Qt works fine suid. And it's quite
cross-platform.
-----Original Message-----
From: Robert van der Meulen [mailto:rvdm@CISTRON.NL]
Sent: Wednesday, January 03, 2001 10:46 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: gtk+ security hole.
Hi,
Quoting Kain (kain@CHAOSIUM.NET):
> On Tue, Jan 02, 2001 at 04:13:58PM -0500, Rob Mosher wrote:
> > A simple fix to this would be to drop priveleges before calling
> > gtk_init(), another easy fix is to modify gtk itself, to do this you
> > need to make the following modification of gtkmain.c. In gtk-1.2.8 its
> > at approximately line 215, you have:
> IMO, the best way to fix this would be to have libglib/gtk see if euid==0
> and just ignore those variables on init, and quite possibly go so far as
> to ignore "engine" lines in .gtkrcs or maybe filter them....
In the official reply of the gtk+ team, several, very valid, reasons are
given to _never_ have a suid/setgid gtk program.
If a gtk program is suid, the suidness is a security hole on itself.
I do not think gtk should be patched to behave differently when it's running
suid/setgid, as this will only encourage people to make suid/setgid gtk
programs, and we don't want that ;)
If there's bugs in the gtk libs they should (ofcourse) be patched, but
specific 'features' for evading problems occurring when running
setuid/setgid should IMHO not be implemented.
Just my $.02,
Robert
--
Linux Generation
Life is a sexually transmitted disease with 100% mortality.
