Re: Claimed vulnerability in GTK_MODULES

[Havoc Pennington <hp redhat com>]

Pavel Machek <pavel ucw cz> writes: 
> With world-writable high scores, anyone can mess them up in less than
> minute.
> 
> Messing high scores with setgid gtk+ app would take half an hour. (to
> me).
> 
> Messing high scores with setgid gtk+ app with known-bugs-fixed gtk+
> would take at least five hours, probably many more.

And when we get a new known exploit every day, it goes back to half an
hour immediately. Not that this time difference is very important IMO;
if you're doing this kind of thing, you probably enjoy spending the
time. The real deterrent here is just that there aren't many
programmers with a clue who are sufficiently bored to spend half an
hour modifying solitaire scores. If they are that bored, I say they
probably need cheering up with some good high score table munging.

> You are not disabling important functionality. It is disabled only in
> cases of setuid programs.

i.e. all the gnome-games, for example. Yes it's important
functionality. I doubt that Chinese users would appreciate why their
input methods don't work with games and they can't enter any text; I
doubt that users would understand why themes don't work with games.

> Also remember that by killing buffer
> overruns and similar stuff in code, you are fixing real bugs. For
> almost every security hole closed, you have one bug fixed.

Of course if something is a bug, e.g. an overrun, we'll fix that
anyway. But we aren't going to fix bugs of the form "normally
legitimate functionality foo allows an exploit in setuid apps."  And
we are not going to treat overrun bugs as security issues, except in
special cases such as the gdk-pixbuf image loaders.

Havoc