[Uim] uim 0.5.0.1 released
TOKUNAGA Hiroyuki
tkng at xem.jp
Wed Sep 28 05:46:19 PDT 2005
uim-0.5.0.1 is released. This release is for *security fix*.
http://uim.freedesktop.org/releases/uim-0.5.0.1.tar.gz
sha1sum:d489003205c0e3a24d611e72d0b780ce35bf7474 uim-0.5.0.1.tar.gz
All uim releases except 0.4.9.1 and 0.5.0.1 have a security hole.
If you are using setuid/setgid application which is linked to libuim,
you have to upgrade uim.
Brief of the bug
================
Vulnerability : privilege escalation
Problem-Type : local
Masanari Yamamoto discovered that incorrect use of environment
variables in uim. This bug causes privilege escalation if setuid/setgid
applications was linked to libuim.
This bug appears in 'immodule for Qt' enabled Qt. (Normal Qt is also
safe.) In some distribution, mlterm is also an setuid/setgid
application.
Changes between 0.5.0 to 0.5.0.1
================================
* Fixed incorrect use of environment variables.
More information about the uim
mailing list