From: Havoc Pennington <hp@redhat.com> To: editor@lwn.net Subject: Turbo gtk update does nothing useful Date: 09 Jun 2001 18:22:53 -0400 Hi, Just a heads-up, see http://www.gtk.org/setuid.html. Turbo has discovered a well-known non-issue; GTK_MODULES is not a security hole unless Turbo contains setuid binaries using GTK, in which case those binaries are a gaping security hole both before and after their GTK patch. Other distributions should not feel the need to patch GTK in this way. It is a completely useless patch. If you follow the link in Turbo's advisory, http://www.securityfocus.com/vdb/bottom.html?vid=2165, you can read the Bugtraq thread where it was made very clear that this is not a security issue, though setuid binaries using GTK may be such an issue. For those concerned about accidentally using a setuid binary with GTK, note that GTK 1.2.10 will refuse to start up at all if the binary is setuid. But the security hole is still in the setuid binary, not in GTK, 1.2.10's behavior is intended purely to discourage the ignorant from making their apps setuid, rather than to "fix" GTK. The statements at http://www.gtk.org/setuid.html apply equally to any large library, this is not a GTK-specific point. Havoc