Re: gtk+ security hole. (fwd)

From: Alan Olsen <alan clueserver org>
To: gtk-devel-list gnome org
Subject: Re: gtk+ security hole. (fwd)
Date: Tue, 2 Jan 2001 18:13:38 -0800 (PST)

This was the proposed fix for the problem. Use or discard as you see
fit...

alan ctrl-alt-del com | Note to AOL users: for a quick shortcut to reply
Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
    "In the future, everything will have its 15 minutes of blame."

---------- Forwarded message ----------
Date: Tue, 2 Jan 2001 16:13:58 -0500
From: Rob Mosher <rmosher LIGHTNING NET>
To: BUGTRAQ SECURITYFOCUS COM
Subject: Re: gtk+ security hole.

A simple fix to this would be to drop priveleges before calling
gtk_init(), another easy fix is to modify gtk itself, to do this you
need to make the following modification of gtkmain.c.  In gtk-1.2.8 its
at approximately line 215, you have:

   env_string = getenv ("GTK_MODULES");

add the following line above it:
   if(geteuid() != getuid())

This will prevent gtk from loading modules if the program calling
gtk_init has a different euid than the uid.

Chris Sharp wrote:

> while going through a quick audit of gtk i found:
>
> gtk+ can be tricked into running arbitrary code
> via a bogus module.  this means any program using
> gtk that is set*id can be exploited via this
> method.  here is an exploit i wrote for this
> security hole:
>
>
> original xgtk.c(working/un-wrapped):
> http://realhalo.org/xgtk.c
[snip]

--
Rob Mosher
Lead Programmer / Systems Engineer
Lightning Internet Services, LLC

Follow-Ups:
- Re: gtk+ security hole. (fwd)
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]