Bug 66448 (CVE-2005-3149)

Summary: VUL-0: CVE-2005-3149: uim: blindly trusting env. variables.
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Mike Fabian <mfabian>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: aj, kde-maintainers, patch-request, ro, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html
Whiteboard: CVE-2005-3149: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: vendor-sec discussion
uim-fix.patch

Description Thomas Biege 2005-02-24 10:07:24 UTC 
Hello Mike, 
uim hast a security problem. 
 
http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html
Comment 1 Thomas Biege 2005-02-24 10:08:55 UTC 
Created attachment 28796 [details]
vendor-sec discussion
Comment 2 Marcus Meissner 2005-02-24 13:34:21 UTC 
CAN-2005-0503
Comment 3 Mike Fabian 2005-02-24 16:48:59 UTC 
Fixed package submitted to STABLE:
-------------------------------------------------------------------
Thu Feb 24 17:39:48 CET 2005 - mfabian@suse.de

- Bugzilla #66448: update to 0.4.6 svn revision 714
  to fix a security problem (CAN-2005-0503).
-------------------------------------------------------------------

A version update is the easiest fix for STABLE, on top
of the security update it fixes a few other problems as well
(for example the error message when loading the canna plugin,
canna is now temporarily disabled after the version update).
Comment 4 Mike Fabian 2005-02-24 16:50:28 UTC 
- added Andreas Jaeger to CC: because of version update after Beta1.
- added Jürgen Weigert to CC: to check for crypto code
  (I think there isn't)
Comment 5 Andreas Jaeger 2005-02-25 13:00:46 UTC 
OK from my side, go ahead and submit - Jürgen will complain automatically;-)
Comment 6 Thomas Biege 2005-03-09 12:55:32 UTC 
SM-Tracker-577

Mike, do you know if we link libuim against setuid apps?
Comment 7 Mike Fabian 2005-03-09 13:38:25 UTC 
I'm not sure. mlterm links directly against uim, but mlterm is not
suid because it uses libutempter.

Apparently any suid Qt application could be a problem because
any Qt applications can use uim via the Qt-Input-module plugin API.

Do we have suid Qt applications?
Comment 8 Thomas Biege 2005-03-09 14:05:57 UTC 
Ah ok.

I think we do not even have a handfull setuid qt apps... kdesu comes to my mind.
Comment 9 Juergen Weigert 2005-03-09 14:21:34 UTC 
uim is not a crypto package.
Comment 10 Marcus Meissner 2005-03-14 14:28:19 UTC 
we need a fix for older suse linux versions ... but no upgrade, patch only 
please.
Comment 11 Thomas Biege 2005-04-12 14:37:14 UTC 
Mike,
any news about this issue?
Comment 12 Mike Fabian 2005-04-15 14:02:04 UTC 
I'll try next week.
Comment 13 Mike Fabian 2005-04-26 13:31:09 UTC 
Still no time.
Comment 14 Marcus Meissner 2005-05-12 14:10:17 UTC 
ping
Comment 15 Mike Fabian 2005-05-12 14:18:47 UTC 
pong!
Comment 16 Thomas Biege 2005-06-15 09:51:37 UTC 
Mike,
did you find the time (and your keyboard ;) to fix it?
Comment 17 Marcus Meissner 2005-06-21 16:12:11 UTC 
Mike .. its been several months now.  
 
However, I just reviewed this bug ... SUSE itself does not ship "immodule for 
QT" apparently. 
 
Or are you aware of any setuid/setgid program using "uim" ? 
 
If not we could just resolve this to "fixed in STABLE".
Comment 18 Mike Fabian 2005-06-21 16:42:50 UTC 
Marcus> Mike .. its been several months now.

It's not so easy because the upstream project didn't publish a patch
and they didn't describe exactly what the problem was, only that it
had something to do with environment variables.  They just recommended
to update to a newer version and you said we need a patch.

I couldn't find time to investigate what the security problem was
and make a patch myself. And I don't think this security problem
in uim is very important.

Marcus> However, I just reviewed this bug ... SUSE itself does not
Marcus> ship "immodule for QT" apparently.

We have it in SuSE Linux 9.2, but not in SLES9 and SuSE Linux 9.1.

We might get it in to SLES9 later (unlikely but possible), see bug #60508.

Marcus> Or are you aware of any setuid/setgid program using "uim" ? 

No, I don't think we have any.

Marcus> If not we could just resolve this to "fixed in STABLE". 

That's OK with me of course, I am not especially keen to fix
this with a patch.
Comment 19 Marcus Meissner 2005-06-22 07:39:22 UTC 
In which package was it in 9.2? 
 
uim-qt is the only qt related module and it does not contain setuid binaries?
Comment 20 Marcus Meissner 2005-06-22 07:57:01 UTC 
ok, this would need a QT or KDE program which is setuid and taking keyboard  
input.  
  
KDE checks against running setuid and setgid before creating any toplevel  
windows and terminates.  
  
setuid/setgid QT programs are not known to us.  
  
if you know otherwise, speak up and reopen, otherwise we mark this as "fixed  
in STABLE".
Comment 21 Dirk Mueller 2005-06-22 08:35:31 UTC 
extracting a patch for this and applying it to older revisions is pretty 
trivial btw:  
 
http://lists.freedesktop.org/archives/uim-commit/2005-February/000556.html
Comment 22 Marcus Meissner 2005-06-22 09:23:07 UTC 
Created attachment 39630 [details]
uim-fix.patch
Comment 23 Ludwig Nussel 2005-10-27 07:47:25 UTC 
a second problem of same kind has CAN-2005-3149 (just for reference)
Comment 24 Thomas Biege 2009-10-13 21:08:29 UTC 
CVE-2005-3149: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)