Home > Security > Advisories


Mandriva Advisories

Package name gtk+
Date July 9th, 2001
Advisory ID MDKSA-2001:061-1
Affected versions 7.2, 8.0
Synopsis Updated gtk+ packages are gpg signed

Problem Description

A vulnerability exists with the GTK+ toolkit in that the GTK_MODULES
environment variable allows a local user to enter a directory path to a
module that does not necessarily need to be associated with GTK+. With
this, an attacker could create a custom module and load it using the
toolkit which could result in elevated privileges, the overwriting of
system files, and the execution of malicious code.


The packages for 7.2 and Single Network Firewall 7.2 were not signed
with our GnuPG key. Please note the changed MD5 values of the below

Updated Packages

Mandrakelinux 7.2

 9b19591cc08f7956fa46debc38626e69  7.2/RPMS/gtk+-1.2.8-6.1mdk.i586.rpm
bbaabd35e47f34e46c85c4f4994ef176  7.2/RPMS/gtk+-devel-1.2.8-6.1mdk.i586.rpm
c235f8c4dfebdae85d465847111c25da  7.2/SRPMS/gtk+-1.2.8-6.1mdk.src.rpm

Mandrakelinux 8.0

 e69d344008f0586107848110bcde1832  8.0/RPMS/libgtk+1.2-1.2.10-1.1mdk.i586.rpm
63adf2b8a89cc2908379f8fba14dab70  8.0/RPMS/libgtk+1.2-devel-1.2.10-1.1mdk.i586.rpm
603dd72d9b9faf7f8a236c8f23fcd124  8.0/SRPMS/gtk+-1.2.10-1.1mdk.src.rpm




To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.