Home page logo

bugtraq logo Bugtraq mailing list archives

Re: gtk+ security hole.
From: Bryan Porter <bporter () GTW NET>
Date: Thu, 4 Jan 2001 18:15:48 -0600

I'm gathering from the feedback I've gotten that I may have been
overly-harsh. I especially feel rather silly knowing that everyone else in
the known universe doesn't make GUI apps suid. Well, experience is a great
teacher, and let's just say I've learned a lot. Thanks for the input guys,
and apologies to the GTK+ team - it seems I was wrong after all.

-----Original Message-----
From: Dan Stromberg [mailto:strombrg () nis acs uci edu]
Sent: Thursday, January 04, 2001 5:19 PM
To: Bryan Porter
Subject: Re: gtk+ security hole.


How surprising to see a Qt rant in there.  :-S

Actually, I wouldn't recommend running Qt setuid either.  GUI programs
shouldn't be setuid.  Look at all the trouble we've had with xterm.
It should have had a setuid helper program from the beginning.

On Wed, Jan 03, 2001 at 03:30:10PM -0600, Bryan Porter wrote:
I'm sorry, but this seems a bit much for me. My car has tires, and because
the tires are kind of bad and over-engineered, I should'nt drive over
because they might explode? What? Fix the tires. Same thing here.

"Don't make GTK+ program suid/setgid because it's based on another project
with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
suck because we bought cheap rubber." What?

Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
then it is horribly broken. It's a graphic library for christs sake. And,
it so full of spaghetti code that it can't easily be fixed, then trash it.
But the excuses given are ridiculous, period. No professional project
ever stand for this level of ineptitude. Qt works fine suid. And it's

Dan Stromberg                                               UCI/NACS/DCS

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]