[Uim] uim- released

TOKUNAGA Hiroyuki tkng at xem.jp
Wed Sep 28 05:46:08 PDT 2005

uim- is released. This release is for *security fix*.

 sha1sum:9037499c47187aeee758ee2bfd60ba9d7d4f40ec  uim-

All uim releases except and have a security hole.

If you are using setuid/setgid application which is linked to libuim,
you have to upgrade uim.

Brief of the bug

Vulnerability  : privilege escalation
Problem-Type   : local

Masanari Yamamoto discovered that incorrect use of environment
variables in uim. This bug causes privilege escalation if setuid/setgid
applications was linked to libuim.

This bug appears in 'immodule for Qt' enabled Qt. (Normal Qt is also
safe.) In some distribution, mlterm is also an setuid/setgid

Changes between 0.4.9 to

* Fixed incorrect use of environment variables.

More information about the uim mailing list