Bug#331620: uim: privilege escalation before 0.4.9.1

Tue, 04 Oct 2005 02:18:02 -0700 

tags 331620 patch
thanks

I made the patch from uim-0.4.9 and uim-0.4.9.1.  With this patch,
update-uim-config prints some warning messages(Broken Pipe), but this
will fix the security problem.

In Debian, mlterm is installed with setgid, and I'm afraid mlterm is
affected with this bug.

Best regards,
--
 Hidetaka Iwai
 [EMAIL PROTECTED]



diff -urN uim-0.4.9/scm/custom-rt.scm uim-0.4.9.1/scm/custom-rt.scm
--- uim-0.4.9/scm/custom-rt.scm 2005-09-05 23:11:28.000000000 +0900
+++ uim-0.4.9.1/scm/custom-rt.scm       2005-09-27 06:04:35.000000000 +0900
@@ -74,7 +74,8 @@
                (cons filename custom-required-custom-files)))
       (let* ((post-groups (custom-list-primary-groups))
             (new-groups (list-tail post-groups (length pre-groups))))
-       (if (not (getenv "LIBUIM_VANILLA"))
+       (if (and (not (getenv "LIBUIM_VANILLA"))
+                (not (is-set-ugid?)))
            (for-each custom-load-group-conf
                      (reverse new-groups)))))))
 
diff -urN uim-0.4.9/uim/uim-custom.c uim-0.4.9.1/uim/uim-custom.c
--- uim-0.4.9/uim/uim-custom.c  2005-08-25 06:09:30.000000000 +0900
+++ uim-0.4.9.1/uim/uim-custom.c        2005-09-28 19:37:09.000000000 +0900
@@ -826,7 +826,11 @@
 uim_bool
 uim_custom_load(void)
 {
-  return for_each_primary_groups(uim_custom_load_group);
+  if(uim_helper_is_setugid() ==UIM_FALSE) {
+    return for_each_primary_groups(uim_custom_load_group);
+  } else {
+    return UIM_FALSE;
+  }
 }
 
 static uim_bool
@@ -892,7 +896,11 @@
 uim_bool
 uim_custom_save(void)
 {
-  return for_each_primary_groups(uim_custom_save_group);
+  if(uim_helper_is_setugid() ==UIM_FALSE) {
+    return for_each_primary_groups(uim_custom_save_group);
+  } else {
+    return UIM_FALSE;
+  }
 }
 
 /**
diff -urN uim-0.4.9/uim/uim-helper.c uim-0.4.9.1/uim/uim-helper.c
--- uim-0.4.9/uim/uim-helper.c  2005-08-25 05:44:56.000000000 +0900
+++ uim-0.4.9.1/uim/uim-helper.c        2005-09-28 19:33:24.000000000 +0900
@@ -209,6 +209,17 @@
   return NULL;
 }
 
+/* Interface function for is_setugid. */
+uim_bool
+uim_helper_is_setugid(void)
+{
+  if(is_setugid() != 0) {
+    return UIM_TRUE;
+  } else {
+    return UIM_FALSE;
+  }
+}
+
 int
 is_setugid(void)
 {
diff -urN uim-0.4.9/uim/uim-helper.h uim-0.4.9.1/uim/uim-helper.h
--- uim-0.4.9/uim/uim-helper.h  2005-08-25 05:44:56.000000000 +0900
+++ uim-0.4.9.1/uim/uim-helper.h        2005-09-28 19:32:26.000000000 +0900
@@ -59,6 +59,9 @@
 void uim_helper_buffer_shift(char *buf, int count);
 char *uim_helper_buffer_get_message(char *buf);
 
+uim_bool
+uim_helper_is_setugid(void);
+
 #ifdef __cplusplus
 }
 #endif

Reply via email to