GTK interface runs as root and allows arbitrary code execution via the GTK_MODULES environmental variable.
Bug #932593 reported by
Zubin Mithra
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ktsuss (Ubuntu) |
Triaged
|
Undecided
|
Unassigned | ||
Bug Description
The issue was reported here, http://
Ubuntu versions affected seem to be http://
CVE References
Revision history for this message
| Zubin Mithra (zubin-mithra) wrote | #1 |
| visibility: | private → public |
| Changed in ktsuss (Ubuntu): | |
| status: | New → Triaged |
To post a comment you must log in.
suggesting removal of the package from the repository due to the following reasons :-
[ ] Its a setuid GTK binary, http://
[ ] Its not maintained anymore
[ ] Correcting 2011-2922 would require a huge about of code-rewrite
[ ] exploiting the vulnerability is not too complicated.
The codebase basically seems to have design security issues, which would make it pretty time-consuming to fix.