Bug 20444 - Themes try to use files in /home/raster
Summary: Themes try to use files in /home/raster
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gtk-engines
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Owen Taylor
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2000-11-06 23:27 UTC by Trond Eivind Glomsrxd
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2000-11-07 15:40:56 UTC

Attachments (Terms of Use)

Description Trond Eivind Glomsrxd 2000-11-06 23:27:40 UTC
Some themes try to access files in /home/raster:

[teg@halden themes]$ find -type f |xargs grep /home/raster
./BeCool/gtk/gtkrc:#module_path ".:/home/raster/themes"
./Gradient/gtk/gtkrc:#module_path ".:/home/raster/themes"
./Notif/gtk/gtkrc:#module_path ".:/home/raster/themes"
./Notif/gtk/gtkrc:pixmap_path ".:/home/raster/themes"
./Pixmap/gtk/gtkrc:#module_path ".:/home/raster/themes"
./Redmond95/gtk/gtkrc:#module_path ".:/home/raster/themes"
./Redmond95/gtk/gtkrc:pixmap_path ".:/home/raster/themes"
[teg@halden themes]$

I discovered this when my computer tried mounting that directory...
Nalin, being the paranoid security guy he is, wonders if this means someone
owning that directory could explot this securitywise...

Comment 1 Owen Taylor 2001-01-17 19:33:37 UTC
Fixed in gtk-engines-0.10-11.

I don't believe there is a real security issue:

 a) The attacker would have to own /home/raster, which probably means
    they are root.

 b) There would have to be an exploitable buffer overflow in libjpeg
    or libpng, which would be a bigger problem for other reasons.
    (like email attachments)

Note You need to log in before you can comment on or make changes to this bug.