Bugtraq mailing list archives
Re: gtk+ security hole.
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Thu, 4 Jan 2001 11:36:38 -0800
Bryan Porter wrote:
I'm sorry, but this seems a bit much for me. My car has tires, and because the tires are kind of bad and over-engineered, I should'nt drive over 10MPH because they might explode? What? Fix the tires. Same thing here. "Don't make GTK+ program suid/setgid because it's based on another project with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires suck because we bought cheap rubber." What?
That is a really silly analogy, but I'll play along. The GTK+ guys are saying something more like, "Our tires were designed to be used on roads. If you drive them off-road over a field of sharp jagged rocks, they might and probably will fail. Don't use our tires off-road. We do not plan on producing off-road tires, nor is it practical to modify existing tires for off-road use."
Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid, then it is horribly broken.
This is not true. GTK+ is not designed to be run setuid. It cannot be safely run setuid. This does not mean it is broken, it means that it can't do something it was not meant to. Along the same lines, it is generally accepted that setuid shell scripts are not safe. Does this mean the shells are broken? The mail from the GTK+ developers was quite frank and refreshing. There recommendations were simply sound, widely accepted, secure coding practices. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- gtk+ security hole. Chris Sharp (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Kain (Jan 03)
- Re: gtk+ security hole. Robert van der Meulen (Jan 03)
- Re: gtk+ security hole. Wichert Akkerman (Jan 04)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- <Possible follow-ups>
- Re: gtk+ security hole. Bryan Porter (Jan 04)
- Re: gtk+ security hole. Crist Clark (Jan 05)
- Re: gtk+ security hole. Joe (Jan 05)
- Re: gtk+ security hole. Crispin Cowan (Jan 05)
- Re: gtk+ security hole. Bryan Porter (Jan 05)