[sylpheed-announce:00119] About GTK+ (Windows) DLL hijacking vulnerability
hiro-y at kcn.ne.jp
Tue Sep 6 16:10:28 JST 2011
Recently, a vulnerability of GTK+ about DLL hijacking was made public.
(the fix has already been made last year)
Sylpheed Win32 version uses GTK+ 2.10.14, so I've looked into the
source of GTK+ to check if it affects Sylpheed.
As a result, it affects Sylpheed as following:
1. GTK+(GDK) 2.10.14 does not have the affected code.
# gdk/win32/gdkevents-win32.c has a call of LoadLibrary(), but the
# portion of code will never be called
2. The GTK+ Windows theme module (libwimp.dll) has the code which will
be affected by the vulnerability.
3. Sylpheed loads plug-in DLLs, but they are accessed with full path,
so it is not vulnerable.
I have put the fixed module at the following location.
Please extract and overwrite it to your installed Sylpheed folder.
A fixed version of Sylpheed will be relased within several days.
Note: It is required to run Sylpheed with putting malicious DLL at the
same location as sylpheed.exe or its shortcut to make the attack
Hiroyuki Yamamoto <hiro-y at kcn.ne.jp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 196 bytes
Desc: not available
More information about the Sylpheed-announce