Re: Claimed vulnerability in GTK_MODULES

[Pavel Machek <pavel ucw cz>]

Hi!

> This overstates the case a bit. The games group setup makes it
> necessary to have special knowledge to modify the high score table,
> and you can only modify it in ways that the spawned setgid child will
> accept (merge entries). You can't e.g. cat /dev/zero > scores, and you
> can't add an arbitrary number of entries. So at most you can annoy
> other people playing games by filling the 10-entry table with bogus
> scores, you can't do anything else.
> 
> World-writable would mean people could create an arbitrarily large
> file and other such things, which would be dangerous to system
> security. 

Why? Arbitrarily large file is no problem; any user can do this in
/tmp/.

> Messing up a high scores table is not dangerous to
> systemwide security.

Still messing up high scores is bad thing, and should be
prevented. Agreed?


> > 2) fix gtk so that it is secure.
> > 
> > 2) might be better idea. It might not be good idea to rely on gtk+
> > being secure anytime soon, but you should start with it, if only for
> > games.
> > 
> 
> It's impossible. Tiny programs specifically written to be setuid by
> experts (e.g. "su") have had exploits. As Owen says, those programs
> are 500 lines long. GTK is 500,000 lines. Even if risk increased
> linearly, you have 1000 times the risk. But it isn't linear at all;
> it's exponential.
>
> Assuming linear, if you get an exploit in a 500-line program once
> every few years, you get an exploit in GTK something like every day. A
> more realistic assumption of exponential loss of security means
> several exploits a day.

Currently, security of high-scores is a joke. Okay, it is slightly
better than world-writable file, but not much.

What I'm arguing for, is semi-secure gtk+. It might get exploit
published every day, but for high-scores-security that is
acceptable.

								Pavel
-- 
The best software in life is free (not shareware)!		Pavel
GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+