Debian Bug report logs - #331620
uim: privilege escalation before 0.4.9.1

version graph

Package: uim; Maintainer for uim is NOKUBI Takatsugu <knok@daionet.gr.jp>; Source for uim is src:uim (PTS, buildd, popcon).

Reported by: Hidetaka Iwai <tyuyu@debian.or.jp>

Date: Tue, 4 Oct 2005 08:18:08 UTC

Severity: serious

Tags: patch, sarge, security

Fixed in version uim/1:0.4.7-2

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Hidetaka Iwai <tyuyu@debian.or.jp>, Masahito Omote <omote@debian.org>:
Bug#331620; Package uim. (full text, mbox, link).


Acknowledgement sent to Hidetaka Iwai <tyuyu@debian.or.jp>:
New Bug report received and forwarded. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>, Masahito Omote <omote@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hidetaka Iwai <tyuyu@debian.or.jp>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: uim: privilege escalation before 0.4.9.1
Date: Tue, 04 Oct 2005 17:13:17 +0900 (JST)
[Message part 1 (text/plain, inline)]
Package: uim
Severity: serious
Tags: security

All uim releases before 0.4.9.1 have a security bug, which causes
privilege escalation if applications linked to libuim is set
setuid/setgid.

For more detail, please see:
http://lists.freedesktop.org/pipermail/uim/2005-September/001346.html

Best regards,
--
 Hidetaka Iwai
 tyuyu@debian.or.jp
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Masahito Omote <omote@debian.org>:
Bug#331620; Package uim. (full text, mbox, link).


Acknowledgement sent to Hidetaka Iwai <tyuyu@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Masahito Omote <omote@debian.org>. (full text, mbox, link).


Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hidetaka Iwai <tyuyu@debian.or.jp>
To: submit@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#331620: uim: privilege escalation before 0.4.9.1
Date: Tue, 04 Oct 2005 18:08:30 +0900 (JST)
[Message part 1 (text/plain, inline)]
tags 331620 patch
thanks

I made the patch from uim-0.4.9 and uim-0.4.9.1.  With this patch,
update-uim-config prints some warning messages(Broken Pipe), but this
will fix the security problem.

In Debian, mlterm is installed with setgid, and I'm afraid mlterm is
affected with this bug.

Best regards,
--
 Hidetaka Iwai
 tyuyu@debian.or.jp


[fix_privilege_escalation.patch (text/plain, inline)]
diff -urN uim-0.4.9/scm/custom-rt.scm uim-0.4.9.1/scm/custom-rt.scm
--- uim-0.4.9/scm/custom-rt.scm	2005-09-05 23:11:28.000000000 +0900
+++ uim-0.4.9.1/scm/custom-rt.scm	2005-09-27 06:04:35.000000000 +0900
@@ -74,7 +74,8 @@
 		(cons filename custom-required-custom-files)))
       (let* ((post-groups (custom-list-primary-groups))
 	     (new-groups (list-tail post-groups (length pre-groups))))
-	(if (not (getenv "LIBUIM_VANILLA"))
+	(if (and (not (getenv "LIBUIM_VANILLA"))
+		 (not (is-set-ugid?)))
 	    (for-each custom-load-group-conf
 		      (reverse new-groups)))))))
 
diff -urN uim-0.4.9/uim/uim-custom.c uim-0.4.9.1/uim/uim-custom.c
--- uim-0.4.9/uim/uim-custom.c	2005-08-25 06:09:30.000000000 +0900
+++ uim-0.4.9.1/uim/uim-custom.c	2005-09-28 19:37:09.000000000 +0900
@@ -826,7 +826,11 @@
 uim_bool
 uim_custom_load(void)
 {
-  return for_each_primary_groups(uim_custom_load_group);
+  if(uim_helper_is_setugid() ==UIM_FALSE) {
+    return for_each_primary_groups(uim_custom_load_group);
+  } else {
+    return UIM_FALSE;
+  }
 }
 
 static uim_bool
@@ -892,7 +896,11 @@
 uim_bool
 uim_custom_save(void)
 {
-  return for_each_primary_groups(uim_custom_save_group);
+  if(uim_helper_is_setugid() ==UIM_FALSE) {
+    return for_each_primary_groups(uim_custom_save_group);
+  } else {
+    return UIM_FALSE;
+  }
 }
 
 /**
diff -urN uim-0.4.9/uim/uim-helper.c uim-0.4.9.1/uim/uim-helper.c
--- uim-0.4.9/uim/uim-helper.c	2005-08-25 05:44:56.000000000 +0900
+++ uim-0.4.9.1/uim/uim-helper.c	2005-09-28 19:33:24.000000000 +0900
@@ -209,6 +209,17 @@
   return NULL;
 }
 
+/* Interface function for is_setugid. */
+uim_bool
+uim_helper_is_setugid(void)
+{
+  if(is_setugid() != 0) {
+    return UIM_TRUE;
+  } else {
+    return UIM_FALSE;
+  }
+}
+
 int
 is_setugid(void)
 {
diff -urN uim-0.4.9/uim/uim-helper.h uim-0.4.9.1/uim/uim-helper.h
--- uim-0.4.9/uim/uim-helper.h	2005-08-25 05:44:56.000000000 +0900
+++ uim-0.4.9.1/uim/uim-helper.h	2005-09-28 19:32:26.000000000 +0900
@@ -59,6 +59,9 @@
 void uim_helper_buffer_shift(char *buf, int count);
 char *uim_helper_buffer_get_message(char *buf);
 
+uim_bool
+uim_helper_is_setugid(void);
+
 #ifdef __cplusplus
 }
 #endif

Tags added: patch Request was from Hidetaka Iwai <tyuyu@debian.or.jp> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Hidetaka Iwai <tyuyu@debian.or.jp>:
Bug acknowledged by developer. (full text, mbox, link).


Message #17 received at 331620-done@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>
To: 331620-done@bugs.debian.org
Subject: Re: uim: privilege escalation before 0.4.9.1
Date: Fri, 4 Nov 2005 18:29:33 -0800
[Message part 1 (text/plain, inline)]
Version: 1:0.4.7-2

According to the package changelog, this bug is reported to be fixed in
1:0.4.7-2, but the bug was not closed due to a syntax error in the
changelog.  The changelog entry is as follows:

uim (1:0.4.7-2) unstable; urgency=high

  * Added debian/patches/08_fix_privilage_escalation_CVE_2005_3149.
    - CAN-2005-3149.
    - [security] uim does not handle the LIBUIM_VANILLA environment variable
      when a suid or sgid application is linked to libuim, such as immodule
      for Qt and mlterm, which allows local users to gain privileges.
      (closes Bug#331620).
  * Fix typo in update-uim-config.

 -- Masahito Omote <omote@debian.org>  Mon, 17 Oct 2005 13:40:01 +0900

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Masahito Omote <omote@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: sarge Request was from Masahito Omote <omote@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug marked as fixed in version 1:0.4.7-2, send any further explanations to Hidetaka Iwai <tyuyu@debian.or.jp> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 19:49:13 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:45:03 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.