[Pkg-ime-devel] Re: Bug#296632: About uim security bug (CAN-2005-0503)

[Ming Hua]

On Sat, Feb 26, 2005 at 03:37:14AM +0900, Masahito Omote wrote:
> On Fri, 25 Feb 2005 11:49:53 -0600
> Ming Hua <minghua@rice.edu> wrote:
> 
> > However after reading the detail about this bug
> > (http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html),
> > I believe this bug won't affect Debian (at least not likely before sarge
> > is released).
> 
> Yes, this bug does not affect if only Official Debian package is installed.
> 
> > The reason is that this bug only affects ``Qt immodule'', and this is a
> > Qt 4 feature.  The official Qt 3 doesn't have such a feature, but there
> > is a patch for Qt 3 avaiable, and I believe Mandrake has this patch
> > included.  However, from what I hear, the Qt 3 in Debian doesn't have
> > this patch (there is a wishlist bug filed, but I can't find it at the
> > moment).
> 
> This is because GTK binary does not permit setuid/setgided binary but
> in Qt it is permitted. I already uploaded new uim binary 0.4.6beta2-1
> and -2 before CVE id is allocated. But this package is now in NEW
> queue [1].
> 
> If this situation keeps going, I have to upload 0.4.5.1 binary but I'm
> busy because of the semester final exams(ends in 3/18). If anyone can
> help me, please NMU 1:0.4.5.1-0.1.

Thanks for the explanation.  I am concerned about this mainly because I
know there is a team focusing on the security status of sarge (therefore
I was also posting to their mailing list).  Since this bug has a CAN
number, it's automatically imported to their watch list.  I am trying to
clarify the situation by saying it doesn't affect (official) sarge.

Of course it's still better to get the fix into sarge if possible.  But
since I'm not a DD I probably can't help much.

Good luck on your final exams. :-)

Ming
2005.02.25