[Uim] uim-0.4.9.1 released
tkng at xem.jp
Wed Sep 28 05:46:08 PDT 2005
uim-0.4.9.1 is released. This release is for *security fix*.
All uim releases except 0.4.9.1 and 0.5.0.1 have a security hole.
If you are using setuid/setgid application which is linked to libuim,
you have to upgrade uim.
Brief of the bug
Vulnerability : privilege escalation
Problem-Type : local
Masanari Yamamoto discovered that incorrect use of environment
variables in uim. This bug causes privilege escalation if setuid/setgid
applications was linked to libuim.
This bug appears in 'immodule for Qt' enabled Qt. (Normal Qt is also
safe.) In some distribution, mlterm is also an setuid/setgid
Changes between 0.4.9 to 0.4.9.1
* Fixed incorrect use of environment variables.
More information about the uim