FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

uim -- privilege escalation vulnerability

Affected packages
ja-uim < 0.4.6

Details

VuXML ID fb03b1c6-8a8a-11d9-81f7-02023f003c9f
Discovery 2005-02-21
Entry 2005-03-01

The uim developers reports:

Takumi ASAKI discovered that uim always trusts environment variables. But this is not correct behavior, sometimes environment variables shouldn't be trusted. This bug causes privilege escalation when libuim is linked against setuid/setgid application. Since GTK+ prohibits setuid/setgid applications, the bug appears only in 'immodule for Qt' enabled Qt. (Normal Qt is also safe.)

References

Bugtraq ID 12604
CVE Name CVE-2005-0503
Message http://lists.freedesktop.org/pipermail/uim/2005-February/000996.html
URL http://secunia.com/advisories/13981