Re: gtk+ security hole.

[Crist Clark <crist.clark () GLOBALSTAR COM>]

Bryan Porter wrote:
> I'm sorry, but this seems a bit much for me. My car has tires, and because
> the tires are kind of bad and over-engineered, I should'nt drive over 10MPH
> because they might explode? What? Fix the tires. Same thing here.
>
> "Don't make GTK+ program suid/setgid because it's based on another project
> with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
> suck because we bought cheap rubber." What?

That is a really silly analogy, but I'll play along. The GTK+ guys
are saying something more like, "Our tires were designed to be used on
roads. If you drive them off-road over a field of sharp jagged rocks,
they might and probably will fail. Don't use our tires off-road. We do
not plan on producing off-road tires, nor is it practical to modify
existing tires for off-road use."

> Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
> then it is horribly broken.

This is not true. GTK+ is not designed to be run setuid. It cannot be
safely run setuid. This does not mean it is broken, it means that it can't
do something it was not meant to. Along the same lines, it is generally
accepted that setuid shell scripts are not safe. Does this mean the shells
are broken?

The mail from the GTK+ developers was quite frank and refreshing. There
recommendations were simply sound, widely accepted, secure coding practices.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926