[18436] in bugtraq
Re: gtk+ security hole.
daemon@ATHENA.MIT.EDU (Joe)
Fri Jan 5 13:26:55 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.1010104111852.14463A-100000@animal.blarg.net>
Date: Thu, 4 Jan 2001 11:33:46 -0800
Reply-To: joe@blarg.net
From: Joe <joe@BLARG.NET>
X-To: Bryan Porter <bporter@GTW.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <AAB5DEC592C7B84CA4A102978BDFFD5A0935A2@exchange.private.swpnet.com>
This is going to quickly get out-of-hand I think, but my 2 cents...
On Wed, 3 Jan 2001, Bryan Porter wrote:
> I'm sorry, but this seems a bit much for me. My car has tires, and because
> the tires are kind of bad and over-engineered, I should'nt drive over 10MPH
> because they might explode? What? Fix the tires. Same thing here.
Analogies are always bad. This one more-so than most. A wheel is, by
definition, a required element for driving a car. A GUI is not required for
most programs and definitely should be avoided when writing suid
programs. Suid programs should be as lean and mean as possible.
> "Don't make GTK+ program suid/setgid because it's based on another project
> with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
> suck because we bought cheap rubber." What?
No - to try my hand at bad analogies, it's more like buying a set of
candy-glass tires because the tires are pretty. Go ahead and take those
candy-glass tires out on the freeway if you want, but when you crash and
burn don't come crying to us.
> Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
> then it is horribly broken. It's a graphic library for christs sake.
Precisely - don't write suid programs with crap you don't absolutely have to
have. I think the GTK team's response is more than appropriate. Anybody that
wants to include a half-million lines of someone elses code into their suid
programs does so at their own risk.
--
Joe Technical Support
General Support: support@blarg.net Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
