Published:2011/09/02  Last Updated:2011/09/02

JVN#58019849
GTK+ may insecurely load dynamic libraries

Overview

GTK+ may use unsafe methods for determining how to load DLLs.

Products Affected

  • GTK+ versions prior to 2.21.8

Description

GTK+ is a toolkit for developing applications with GUIs. GTK+ contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries.

Impact

In an application that uses GTK+, arbitrary code may be executed with the privilege of that application.

Solution

Solution for developers using GTK+
Developers that use GTK+ should update GTK+ to the latest version available.

Vendor Status

Vendor Link
GTK+ Update NEWS for 2.21.8
Avoid potential DLL hijacking in Wintab code
The GTK+ Project

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Naoto Katsumi of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-4831
JVN iPedia JVNDB-2011-000072