Re: gtk+ security hole. (fwd)

This was the proposed fix for the problem. Use or discard as you see

alan ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply
Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
    "In the future, everything will have its 15 minutes of blame."

---------- Forwarded message ----------
Date: Tue, 2 Jan 2001 16:13:58 -0500
From: Rob Mosher <rmosher LIGHTNING NET>
Subject: Re: gtk+ security hole.

A simple fix to this would be to drop priveleges before calling
gtk_init(), another easy fix is to modify gtk itself, to do this you
need to make the following modification of gtkmain.c.  In gtk-1.2.8 its
at approximately line 215, you have:

   env_string = getenv ("GTK_MODULES");

add the following line above it:
   if(geteuid() != getuid())

This will prevent gtk from loading modules if the program calling
gtk_init has a different euid than the uid.

Chris Sharp wrote:

> while going through a quick audit of gtk i found:
> gtk+ can be tricked into running arbitrary code
> via a bogus module.  this means any program using
> gtk that is set*id can be exploited via this
> method.  here is an exploit i wrote for this
> security hole:
> original xgtk.c(working/un-wrapped):

Rob Mosher
Lead Programmer / Systems Engineer
Lightning Internet Services, LLC

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]