[Uim] uim released

TOKUNAGA Hiroyuki tkng at xem.jp
Sun Feb 20 15:13:52 EET 2005

(Sorry if you recieved this mail twice.)

uim is released. This release is for *security fix*.

 sha1sum:4a113fc3472fdf7561eb2ad57af189f94a7b17ee  uim-

All uim except and 0.4.6beta1 have a security hole.

If you are using 'immodule for Qt' enabled Qt, you should upgrade your 
uim to or 0.4.6beta1. (We'll release 0.4.6beta1 ASAP.)

Brief of the bug

Vulnerability  : privilege escalation
Problem-Type   : local

Takumi ASAKI discovered that uim always trusts environment variables. 
But this is not correct behavior, sometimes environment variables 
shouldn't be trusted. This bug causes privilege escalation when libuim 
is linked against setuid/setgid application. Since GTK+ prohibits 
setuid/setgid applications, the bug appears only in 'immodule for Qt' 
enabled Qt. (Normal Qt is also safe.)

Changes between 0.4.5 to

* libuim
 - Check added before calling getenv and execlp.

* uim-skk
 - Don't read/save personal dictionary if uid and euid is different.

More information about the uim mailing list