GTK interface runs as root and allows arbitrary code execution via the GTK_MODULES environmental variable.
Bug #932593 reported by
Zubin Mithra
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ktsuss (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
The issue was reported here, http://
Ubuntu versions affected seem to be http://
CVE References
visibility: | private → public |
Changed in ktsuss (Ubuntu): | |
status: | New → Triaged |
To post a comment you must log in.
suggesting removal of the package from the repository due to the following reasons :-
[ ] Its a setuid GTK binary, http:// www.gtk. org/setuid. html
[ ] Its not maintained anymore
[ ] Correcting 2011-2922 would require a huge about of code-rewrite
[ ] exploiting the vulnerability is not too complicated.
The codebase basically seems to have design security issues, which would make it pretty time-consuming to fix.