Acknowledgement sent to Hidetaka Iwai <tyuyu@debian.or.jp>:
New Bug report received and forwarded. Copy sent to Hidetaka Iwai <tyuyu@debian.or.jp>, Masahito Omote <omote@debian.org>.
(full text, mbox, link).
Package: uim
Severity: serious
Tags: security
All uim releases before 0.4.9.1 have a security bug, which causes
privilege escalation if applications linked to libuim is set
setuid/setgid.
For more detail, please see:
http://lists.freedesktop.org/pipermail/uim/2005-September/001346.html
Best regards,
--
Hidetaka Iwai
tyuyu@debian.or.jp
Information forwarded to debian-bugs-dist@lists.debian.org, Masahito Omote <omote@debian.org>: Bug#331620; Package uim.
(full text, mbox, link).
Acknowledgement sent to Hidetaka Iwai <tyuyu@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Masahito Omote <omote@debian.org>.
(full text, mbox, link).
tags 331620 patch
thanks
I made the patch from uim-0.4.9 and uim-0.4.9.1. With this patch,
update-uim-config prints some warning messages(Broken Pipe), but this
will fix the security problem.
In Debian, mlterm is installed with setgid, and I'm afraid mlterm is
affected with this bug.
Best regards,
--
Hidetaka Iwai
tyuyu@debian.or.jp
Version: 1:0.4.7-2
According to the package changelog, this bug is reported to be fixed in
1:0.4.7-2, but the bug was not closed due to a syntax error in the
changelog. The changelog entry is as follows:
uim (1:0.4.7-2) unstable; urgency=high
* Added debian/patches/08_fix_privilage_escalation_CVE_2005_3149.
- CAN-2005-3149.
- [security] uim does not handle the LIBUIM_VANILLA environment variable
when a suid or sgid application is linked to libuim, such as immodule
for Qt and mlterm, which allows local users to gain privileges.
(closes Bug#331620).
* Fix typo in update-uim-config.
-- Masahito Omote <omote@debian.org> Mon, 17 Oct 2005 13:40:01 +0900
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Bug reopened, originator not changed.
Request was from Masahito Omote <omote@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sarge
Request was from Masahito Omote <omote@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:0.4.7-2, send any further explanations to Hidetaka Iwai <tyuyu@debian.or.jp>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 19:49:13 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.