[Uim] [Security Fix] uim-0.4.6-beta2 is released
UTUMI Hirosi
utuhiro78 at yahoo.co.jp
Sun Feb 20 16:57:06 EET 2005
// for cooker-i18n-ml (Mandrakelinux)
Hi,
uim-0.4.6-beta2 is released. It includes a security fix.
http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html
http://lists.freedesktop.org/pipermail/uim/2005-February/000999.html
---
Vulnerability : privilege escalation
Problem-Type : local
Takumi ASAKI discovered that uim always trusts environment variables.
But this is not correct behavior, sometimes environment variables
shouldn't be trusted. This bug causes privilege escalation when libuim
is linked against setuid/setgid application. Since GTK+ prohibits
setuid/setgid applications, the bug appears only in 'immodule for Qt'
enabled Qt. (Normal Qt is also safe.)
---
Note: Mandrake's Qt packages don't include 'immodule for Qt'.
You can get the new SRPM for Cooker:
http://prdownloads.sourceforge.net/mdk-ut/uim-0.4.6-1.beta2.1ut.src.rpm?download
I've attached uim.spec.diff to this mail.
to UIM developers: Thank you for the great work!
Enjoy,
Hirosi
__________________________________
Let's Celebrate Together!
Yahoo! JAPAN
http://pr.mail.yahoo.co.jp/so2005/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uim.spec.diff.bz2
Type: application/octet-stream
Size: 734 bytes
Desc: uim.spec.diff.bz2
Url : http://lists.freedesktop.org/archives/uim/attachments/20050220/6c3bd12c/attachment.obj
More information about the uim
mailing list