Bugtraq mailing list archives
Re: gtk+ security hole.
From: Joe <joe () blarg net>
Date: Thu, 4 Jan 2001 11:33:46 -0800
This is going to quickly get out-of-hand I think, but my 2 cents... On Wed, 3 Jan 2001, Bryan Porter wrote:
I'm sorry, but this seems a bit much for me. My car has tires, and because the tires are kind of bad and over-engineered, I should'nt drive over 10MPH because they might explode? What? Fix the tires. Same thing here.
Analogies are always bad. This one more-so than most. A wheel is, by definition, a required element for driving a car. A GUI is not required for most programs and definitely should be avoided when writing suid programs. Suid programs should be as lean and mean as possible.
"Don't make GTK+ program suid/setgid because it's based on another project with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires suck because we bought cheap rubber." What?
No - to try my hand at bad analogies, it's more like buying a set of candy-glass tires because the tires are pretty. Go ahead and take those candy-glass tires out on the freeway if you want, but when you crash and burn don't come crying to us.
Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid, then it is horribly broken. It's a graphic library for christs sake.
Precisely - don't write suid programs with crap you don't absolutely have to have. I think the GTK team's response is more than appropriate. Anybody that wants to include a half-million lines of someone elses code into their suid programs does so at their own risk. -- Joe Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
Current thread:
- gtk+ security hole. Chris Sharp (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Kain (Jan 03)
- Re: gtk+ security hole. Robert van der Meulen (Jan 03)
- Re: gtk+ security hole. Wichert Akkerman (Jan 04)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- <Possible follow-ups>
- Re: gtk+ security hole. Bryan Porter (Jan 04)
- Re: gtk+ security hole. Crist Clark (Jan 05)
- Re: gtk+ security hole. Joe (Jan 05)
- Re: gtk+ security hole. Crispin Cowan (Jan 05)
- Re: gtk+ security hole. Bryan Porter (Jan 05)