GNOME security?

[Damien Miller <dmiller ilogic com au>]

Hi,

I just noticed that the panel applets listen on TCP ports 
starting at 1027. I am using GNOME 0.30 as shipped with RH5.2.

Opening a connection to one of these ports and typing garbage will
consistently crash the applet in question.

> [dmiller@mothra dmiller]$ panel
> Message: Initializing CORBA for panel
> 
> started applet, exec: '(true; /usr/bin/gen_util_applet --clock &)'
> Message: Initializing CORBA for applet
> 
> started applet, exec: '(true; /usr/bin/multiload_applet --cpu &)'
> Message: Initializing CORBA for applet
> 
> make_cpuload_applet (--cpu): 0x807c3c0
> Calling sysdeps open function.
> started applet, exec: '(true; /usr/bin/fish_applet &)'
> Message: Initializing CORBA for applet
> 
> Saving to [/panel.d/default/]
> Saving session: 1 2 3 4

At this point I telnetted to the port the fish applet was listening on
and typed about 400 characters.

> GLib-ERROR **: could not allocate 1869638251 bytes
> aborting...
> Saving to [/panel.d/default/]
> Saving session: 1 2 3 4

This concerns me. At the very least it is a 100% effective DoS attack
against the applet. Different strings would case different allocation
sizes to be requested, it might be possible to find one which will
fill up all the target's memory.

My questions are:

 - Has this vulnerability been fixed in CVS?

 - Why are applets listening on open TCP ports to begin with? (why not
 unix domain sockets, or localhost sockets?)

 - Has GNOME been audited for security? Are there plans to, prior to
 the 1.0 release?

Regards,
Damien Miller

| Damien Miller - 
| Email: dmiller@ilogic.com.au (home) or damien@ibs.com.au (work)
| WWW:   http://www.ilogic.com.au/~dmiller/