[Pkg-ime-devel] Re: Bug#296632: About uim security bug (CAN-2005-0503)

Masahito Omote omote@utyuuzin.net
Sat, 26 Feb 2005 03:47:38 +0900 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On Fri, 25 Feb 2005 11:49:53 -0600
Ming Hua <minghua@rice.edu> wrote:

> However after reading the detail about this bug
> (http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html),
> I believe this bug won't affect Debian (at least not likely before sarge
> is released).

Yes, this bug does not affect if only Official Debian package is installed.

> The reason is that this bug only affects ``Qt immodule'', and this is a
> Qt 4 feature.  The official Qt 3 doesn't have such a feature, but there
> is a patch for Qt 3 avaiable, and I believe Mandrake has this patch
> included.  However, from what I hear, the Qt 3 in Debian doesn't have
> this patch (there is a wishlist bug filed, but I can't find it at the
> moment).

This is because GTK binary does not permit setuid/setgided binary but in Qt it is
permitted. I already uploaded new uim binary 0.4.6beta2-1 and -2 before CVE id is
allocated. But this package is now in NEW queue [1].

If this situation keeps going, I have to upload 0.4.5.1 binary but I'm busy because
of the semester final exams(ends in 3/18). If anyone can help me, please NMU 1:0.4.5.1-0.1.

[1] http://ftp-master.debian.org/new.html

uim (1:0.4.6beta2-1) unstable; urgency=high

  * New upstream release
  * From 0.4.6, uim supports plugin system and split Inputmethods(mainly for
    Japanese IMs) into plugins which is needed to link shared library. If
    you use following IMs, you have to install plugin packages.
    .
    Anthy: uim-anthy
    Canna: uim-canna
    SKK:   uim-skk
    PRIME: uim-prime
    m17nlibs: uim-m17nlib
  * New package libuim0-nox, libuim-nox-dev, libuim-nox-dbg which built
    without X11. This package is for those who want to use uim-fep only.
  * Urgency set high, because of privilage escalation is found in libuim0.
    This security hole only affects in setuid/setgid Qt apps using immodule
    for Qt(native Qt does not affect) and using setuid/setgid-ed application
    which linked against libuim installed by users from source. If you only
    use Debian packages, this security hole does not affect your system.
  * debian/uim-gtk2.0.menu: menu file for uim-im-switcher and uim-toolbar-gtk.
    (closes: Bug#284159)

 -- Masahito Omote <omote@debian.org>  Tue, 22 Feb 2005 03:44:09 +0900

Thanks,
- -- 
Masahito Omote(omote@utyuuzin.net, omote@sapmed.ac.jp, omote@debian.org)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCH3LK4QYOB7JaXPERAl81AKCfJvKT3z57FeNlS8qctlkcVL55awCgqSUg
WpzRK2nnxnM9pYkTFtTqOQY=
=Aj40
-----END PGP SIGNATURE-----