[Uim] Re: [i18n] [Security Fix] uim-0.4.6-beta2 is released

Thierry Vignaud tvignaud at mandrakesoft.com
Mon Feb 21 16:23:57 EET 2005 

UTUMI Hirosi <utuhiro78 at yahoo.co.jp> writes:

> // for cooker-i18n-ml (Mandrakelinux)
> 
> Hi,
> 
> uim-0.4.6-beta2 is released. It includes a security fix.
> http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html
> http://lists.freedesktop.org/pipermail/uim/2005-February/000999.html
> ---
> Vulnerability  : privilege escalation
> Problem-Type   : local
> 
> Takumi ASAKI discovered that uim always trusts environment variables. 
> But this is not correct behavior, sometimes environment variables 
> shouldn't be trusted. This bug causes privilege escalation when libuim 
> is linked against setuid/setgid application. Since GTK+ prohibits 
> setuid/setgid applications, the bug appears only in 'immodule for Qt' 
> enabled Qt. (Normal Qt is also safe.)
> ---
> 
> Note: Mandrake's Qt packages don't include 'immodule for Qt'.
> 
> You can get the new SRPM for Cooker:
> http://prdownloads.sourceforge.net/mdk-ut/uim-0.4.6-1.beta2.1ut.src.rpm?download
> 
> I've attached uim.spec.diff to this mail.
> 
> to UIM developers: Thank you for the great work!
> 
> Enjoy,

btw, my upload script showed that some dependancies got removed (all
related to the fact one gnome lib disappears from linkage):

--- uim-qt--requires.old        2005-02-21 15:14:43.158698296 +0100
+++ uim-qt--requires.new        2005-02-21 15:14:43.158698296 +0100
@@ -15,13 +15,11 @@
 libc.so.6(GLIBC_2.1.3)  
 libc.so.6(GLIBC_2.2)  
 libdl.so.2  
-libexpat.so.0  
 libfontconfig.so.1  
 libfreetype.so.6  
 libgcc_s.so.1  
 libgcc_s.so.1(GCC_3.0)  
 libjpeg.so.62  
-liblcms.so.1  
 libm.so.6  
 libmng.so.1  
 libpng.so.3  
@@ -35,4 +33,4 @@
 libz.so.1  
 rpmlib(CompressedFileNames) <= 3.0.4-1
 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
-uim = 0.4.6-0.svn0667.2mdk
+uim = 0.4.6
--- libuim0--requires.old       2005-02-21 15:14:43.380702248 +0100
+++ libuim0--requires.new       2005-02-21 15:14:43.380702248 +0100
@@ -2,12 +2,10 @@
 /sbin/ldconfig  
 libICE.so.6  
 libORBit-2.so.0  
-libORBitCosNaming-2.so.0  
 libSM.so.6  
 libX11.so.6  
 libart_lgpl_2.so.2  
 libatk-1.0.so.0  
-libaudiofile.so.0  
 libbonobo-2.so.0  
 libbonobo-activation.so.4  
 libbonoboui-2.so.0  
@@ -21,23 +19,18 @@
 libdl.so.2  
 libdl.so.2(GLIBC_2.0)  
 libdl.so.2(GLIBC_2.1)  
-libesd.so.0  
 libgconf-2.so.4  
 libgdk-x11-2.0.so.0  
 libgdk_pixbuf-2.0.so.0  
-libglade-2.0.so.0  
 libglib-2.0.so.0  
 libgmodule-2.0.so.0  
 libgnome-2.so.0  
-libgnome-keyring.so.0  
 libgnomecanvas-2.so.0  
 libgnomeui-2.so.0  
 libgnomevfs-2.so.0  
 libgobject-2.0.so.0  
 libgthread-2.0.so.0  
 libgtk-x11-2.0.so.0  
-libhowl.so.0  
-libjpeg.so.62  
 libm.so.6  
 libm17n.so.0  
 libpanel-applet-2.so.0

More information about the uim mailing list