Bugzilla – Bug 66448
VUL-0: CVE-2005-3149: uim: blindly trusting env. variables.
Last modified: 2021-09-28 08:06:59 UTC
Hello Mike, uim hast a security problem. http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html
Created attachment 28796 [details] vendor-sec discussion
CAN-2005-0503
Fixed package submitted to STABLE: ------------------------------------------------------------------- Thu Feb 24 17:39:48 CET 2005 - mfabian@suse.de - Bugzilla #66448: update to 0.4.6 svn revision 714 to fix a security problem (CAN-2005-0503). ------------------------------------------------------------------- A version update is the easiest fix for STABLE, on top of the security update it fixes a few other problems as well (for example the error message when loading the canna plugin, canna is now temporarily disabled after the version update).
- added Andreas Jaeger to CC: because of version update after Beta1. - added Jürgen Weigert to CC: to check for crypto code (I think there isn't)
OK from my side, go ahead and submit - Jürgen will complain automatically;-)
SM-Tracker-577 Mike, do you know if we link libuim against setuid apps?
I'm not sure. mlterm links directly against uim, but mlterm is not suid because it uses libutempter. Apparently any suid Qt application could be a problem because any Qt applications can use uim via the Qt-Input-module plugin API. Do we have suid Qt applications?
Ah ok. I think we do not even have a handfull setuid qt apps... kdesu comes to my mind.
uim is not a crypto package.
we need a fix for older suse linux versions ... but no upgrade, patch only please.
Mike, any news about this issue?
I'll try next week.
Still no time.
ping
pong!
Mike, did you find the time (and your keyboard ;) to fix it?
Mike .. its been several months now. However, I just reviewed this bug ... SUSE itself does not ship "immodule for QT" apparently. Or are you aware of any setuid/setgid program using "uim" ? If not we could just resolve this to "fixed in STABLE".
Marcus> Mike .. its been several months now. It's not so easy because the upstream project didn't publish a patch and they didn't describe exactly what the problem was, only that it had something to do with environment variables. They just recommended to update to a newer version and you said we need a patch. I couldn't find time to investigate what the security problem was and make a patch myself. And I don't think this security problem in uim is very important. Marcus> However, I just reviewed this bug ... SUSE itself does not Marcus> ship "immodule for QT" apparently. We have it in SuSE Linux 9.2, but not in SLES9 and SuSE Linux 9.1. We might get it in to SLES9 later (unlikely but possible), see bug #60508. Marcus> Or are you aware of any setuid/setgid program using "uim" ? No, I don't think we have any. Marcus> If not we could just resolve this to "fixed in STABLE". That's OK with me of course, I am not especially keen to fix this with a patch.
In which package was it in 9.2? uim-qt is the only qt related module and it does not contain setuid binaries?
ok, this would need a QT or KDE program which is setuid and taking keyboard input. KDE checks against running setuid and setgid before creating any toplevel windows and terminates. setuid/setgid QT programs are not known to us. if you know otherwise, speak up and reopen, otherwise we mark this as "fixed in STABLE".
extracting a patch for this and applying it to older revisions is pretty trivial btw: http://lists.freedesktop.org/archives/uim-commit/2005-February/000556.html
Created attachment 39630 [details] uim-fix.patch
a second problem of same kind has CAN-2005-3149 (just for reference)
CVE-2005-3149: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)