[18439] in bugtraq
Re: gtk+ security hole.
daemon@ATHENA.MIT.EDU (Bryan Porter)
Fri Jan 5 14:13:08 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <AAB5DEC592C7B84CA4A102978BDFFD5A0935BB@exchange.private.swpnet.com>
Date: Thu, 4 Jan 2001 18:15:48 -0600
Reply-To: Bryan Porter <bporter@GTW.NET>
From: Bryan Porter <bporter@GTW.NET>
X-To: Dan Stromberg <strombrg@nis.acs.uci.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
I'm gathering from the feedback I've gotten that I may have been
overly-harsh. I especially feel rather silly knowing that everyone else in
the known universe doesn't make GUI apps suid. Well, experience is a great
teacher, and let's just say I've learned a lot. Thanks for the input guys,
and apologies to the GTK+ team - it seems I was wrong after all.
-----Original Message-----
From: Dan Stromberg [mailto:strombrg@nis.acs.uci.edu]
Sent: Thursday, January 04, 2001 5:19 PM
To: Bryan Porter
Subject: Re: gtk+ security hole.
Hmmmmmmm...
How surprising to see a Qt rant in there. :-S
Actually, I wouldn't recommend running Qt setuid either. GUI programs
shouldn't be setuid. Look at all the trouble we've had with xterm.
It should have had a setuid helper program from the beginning.
On Wed, Jan 03, 2001 at 03:30:10PM -0600, Bryan Porter wrote:
> I'm sorry, but this seems a bit much for me. My car has tires, and because
> the tires are kind of bad and over-engineered, I should'nt drive over
10MPH
> because they might explode? What? Fix the tires. Same thing here.
>
> "Don't make GTK+ program suid/setgid because it's based on another project
> with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
> suck because we bought cheap rubber." What?
>
> Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
> then it is horribly broken. It's a graphic library for christs sake. And,
if
> it so full of spaghetti code that it can't easily be fixed, then trash it.
> But the excuses given are ridiculous, period. No professional project
would
> ever stand for this level of ineptitude. Qt works fine suid. And it's
quite
> cross-platform.
--
Dan Stromberg UCI/NACS/DCS
