I suppose it has to do with allowing libgtk3-nocsd to be preloaded (LD_PRELOAD), according to:
https://blog.fpmurphy.com/2012/09/all-about- ld_preload.html#:~:text=LD_PRELOAD%20is%20an%20optional%20environmental,is%20called%20preloading%20a%20library. My LD_PRELOAD is set by default (not sure why) with libgtk3-nocsd.so.0 -- /etc/X11/Xsession.d/51gtk3-nocsd-detect. This feels such a security hole ... libgtk3-nocsd.so.0 can take over the machine if I ran anything with setuid. And what's worse, because it's set without an absolute path, one may create an "evil" libgtk3-nocsd.so.0 somewhere ahead of the intended one. Am I missing something ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857022 Title: gtk3-nocsd preloads a setuid library To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk3-nocsd/+bug/1857022/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
