Re: Claimed vulnerability in GTK_MODULES


> set[ug]id and would consider any such to be security holes. (Note that
> GNOME games drop setgid games privileges before initializing GTK+.)

Then those games are broken.

Because you are essentially saying: If you want to arbitrarily modify
high-scores table, you just need to use GTK_MODULES and you'll get the
access you want.

Those games should either

1) use world-writeable high scores tables, so that everyone knows
there's no security in there.


2) fix gtk so that it is secure.

2) might be better idea. It might not be good idea to rely on gtk+
being secure anytime soon, but you should start with it, if only for

I'm pavel ucw cz  "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents at discuss linmodems org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]