Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: gtk+ security hole.
From: Joe <joe () blarg net>
Date: Thu, 4 Jan 2001 11:33:46 -0800

This is going to quickly get out-of-hand I think, but my 2 cents...

On Wed, 3 Jan 2001, Bryan Porter wrote:

I'm sorry, but this seems a bit much for me. My car has tires, and because
the tires are kind of bad and over-engineered, I should'nt drive over 10MPH
because they might explode? What? Fix the tires. Same thing here.

Analogies are always bad. This one more-so than most. A wheel is, by
definition, a required element for driving a car. A GUI is not required for
most programs and definitely should be avoided when writing suid
programs. Suid programs should be as lean and mean as possible.

"Don't make GTK+ program suid/setgid because it's based on another project
with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
suck because we bought cheap rubber." What?

No - to try my hand at bad analogies, it's more like buying a set of
candy-glass tires because the tires are pretty. Go ahead and take those
candy-glass tires out on the freeway if you want, but when you crash and
burn don't come crying to us.

Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
then it is horribly broken. It's a graphic library for christs sake.

Precisely - don't write suid programs with crap you don't absolutely have to
have. I think the GTK team's response is more than appropriate. Anybody that
wants to include a half-million lines of someone elses code into their suid
programs does so at their own risk.

--
Joe                                     Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]