[Uim] uim-0.4.9.1 released
TOKUNAGA Hiroyuki
tkng at xem.jp
Wed Sep 28 05:46:08 PDT 2005
uim-0.4.9.1 is released. This release is for *security fix*.
http://uim.freedesktop.org/releases/uim-0.4.9.1.tar.gz
sha1sum:9037499c47187aeee758ee2bfd60ba9d7d4f40ec uim-0.4.9.1.tar.gz
All uim releases except 0.4.9.1 and 0.5.0.1 have a security hole.
If you are using setuid/setgid application which is linked to libuim,
you have to upgrade uim.
Brief of the bug
================
Vulnerability : privilege escalation
Problem-Type : local
Masanari Yamamoto discovered that incorrect use of environment
variables in uim. This bug causes privilege escalation if setuid/setgid
applications was linked to libuim.
This bug appears in 'immodule for Qt' enabled Qt. (Normal Qt is also
safe.) In some distribution, mlterm is also an setuid/setgid
application.
Changes between 0.4.9 to 0.4.9.1
================================
* Fixed incorrect use of environment variables.
More information about the uim
mailing list