[Uim] [Security Fix] uim-0.4.6-beta2 is released

UTUMI Hirosi utuhiro78 at yahoo.co.jp
Sun Feb 20 16:57:06 EET 2005

// for cooker-i18n-ml (Mandrakelinux)


uim-0.4.6-beta2 is released. It includes a security fix.
Vulnerability  : privilege escalation
Problem-Type   : local

Takumi ASAKI discovered that uim always trusts environment variables. 
But this is not correct behavior, sometimes environment variables 
shouldn't be trusted. This bug causes privilege escalation when libuim 
is linked against setuid/setgid application. Since GTK+ prohibits 
setuid/setgid applications, the bug appears only in 'immodule for Qt' 
enabled Qt. (Normal Qt is also safe.)

Note: Mandrake's Qt packages don't include 'immodule for Qt'.

You can get the new SRPM for Cooker:

I've attached uim.spec.diff to this mail.

to UIM developers: Thank you for the great work!


Let's Celebrate Together!
Yahoo! JAPAN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uim.spec.diff.bz2
Type: application/octet-stream
Size: 734 bytes
Desc: uim.spec.diff.bz2
Url : http://lists.freedesktop.org/archives/uim/attachments/20050220/6c3bd12c/attachment.obj 

More information about the uim mailing list