Re: Claimed vulnerability in GTK_MODULES

From: Pavel Machek <pavel ucw cz>
To: Owen Taylor <otaylor REDHAT COM>, BUGTRAQ SECURITYFOCUS COM, gtk-devel-list gnome org
Subject: Re: Claimed vulnerability in GTK_MODULES
Date: Fri, 5 Jan 2001 21:26:17 +0100

Hi!

> set[ug]id and would consider any such to be security holes. (Note that
> GNOME games drop setgid games privileges before initializing GTK+.)

Then those games are broken.

Because you are essentially saying: If you want to arbitrarily modify
high-scores table, you just need to use GTK_MODULES and you'll get the
access you want.

Those games should either

1) use world-writeable high scores tables, so that everyone knows
there's no security in there.

*or*

2) fix gtk so that it is secure.

2) might be better idea. It might not be good idea to rely on gtk+
being secure anytime soon, but you should start with it, if only for
games.

								Pavel
-- 
I'm pavel ucw cz  "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents at discuss linmodems org

Follow-Ups:
- Re: Claimed vulnerability in GTK_MODULES
  - From: Havoc Pennington

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]