Your message dated Fri, 4 Nov 2005 18:29:33 -0800
with message-id <[EMAIL PROTECTED]>
and subject line uim: privilege escalation before 0.4.9.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Oct 2005 08:12:52 +0000
>From [EMAIL PROTECTED] Tue Oct 04 01:12:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mx1.seikyou.ne.jp [61.122.128.75]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EMhuu-0004NW-00; Tue, 04 Oct 2005 01:12:52 -0700
Received: from localhost (91.98.44.61.ap.seikyou.ne.jp [61.44.98.91])
by mx1.seikyou.ne.jp with ESMTP id j948CIwm031989
Tue, 4 Oct 2005 17:12:19 +0900
Date: Tue, 04 Oct 2005 17:13:17 +0900 (JST)
Message-Id: <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: uim: privilege escalation before 0.4.9.1
X-Debbugs-CC: Hidetaka Iwai <[EMAIL PROTECTED]>
From: Hidetaka Iwai <[EMAIL PROTECTED]>
X-Prom-Mew: Prom-Mew 4.0.50 (Unofficial)
X-fingerprint: 33 83 38 F9 E1 21 0D 16 52 34 1B 60 3F 4A 29 5B DE A9 EC 6B
X-URL: http://bozu.sytes.net/~tyuyu/
X-Mailer: Mew version 4.0.65 on Emacs 21.4 / Mule 5.0
=?iso-2022-jp?B?KBskQjgtTFobKEIp?=
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
micalg=pgp-sha1;
boundary="--Security_Multipart(Tue_Oct__4_17_13_18_2005_191)--"
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
----Security_Multipart(Tue_Oct__4_17_13_18_2005_191)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Package: uim
Severity: serious
Tags: security
All uim releases before 0.4.9.1 have a security bug, which causes
privilege escalation if applications linked to libuim is set
setuid/setgid.
For more detail, please see:
http://lists.freedesktop.org/pipermail/uim/2005-September/001346.html
Best regards,
--
Hidetaka Iwai
[EMAIL PROTECTED]
----Security_Multipart(Tue_Oct__4_17_13_18_2005_191)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDQjmiP0opW96p7GsRAmMDAJ9sjfWaGEyBH9XGVRE4czm0ta9oFACdFDUG
iIz7U9FkcI0sv99Sr2PXPew=
=7/UN
-----END PGP SIGNATURE-----
----Security_Multipart(Tue_Oct__4_17_13_18_2005_191)----
---------------------------------------
Received: (at 331620-done) by bugs.debian.org; 5 Nov 2005 02:29:33 +0000
>From [EMAIL PROTECTED] Fri Nov 04 18:29:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (tennyson.dodds.net)
[66.93.39.86]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EYDoD-0005EH-00; Fri, 04 Nov 2005 18:29:33 -0800
Received: by tennyson.dodds.net (Postfix, from userid 1000)
id 0ABD47002; Fri, 4 Nov 2005 18:29:33 -0800 (PST)
Date: Fri, 4 Nov 2005 18:29:33 -0800
From: Steve Langasek <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: uim: privilege escalation before 0.4.9.1
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--DBIVS5p969aUjpLe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Version: 1:0.4.7-2
According to the package changelog, this bug is reported to be fixed in
1:0.4.7-2, but the bug was not closed due to a syntax error in the
changelog. The changelog entry is as follows:
uim (1:0.4.7-2) unstable; urgency=3Dhigh
* Added debian/patches/08_fix_privilage_escalation_CVE_2005_3149.
- CAN-2005-3149.
- [security] uim does not handle the LIBUIM_VANILLA environment variable
when a suid or sgid application is linked to libuim, such as immodule
for Qt and mlterm, which allows local users to gain privileges.
(closes Bug#331620).
* Fix typo in update-uim-config.
-- Masahito Omote <[EMAIL PROTECTED]> Mon, 17 Oct 2005 13:40:01 +0900
Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--DBIVS5p969aUjpLe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDbBkMKN6ufymYLloRAscIAJ4kDbIzc3/UsBDYwyoLYorR79IugwCdF2/q
Xu6miE9zqiCeHBxhXszg5Lg=
=uquW
-----END PGP SIGNATURE-----
--DBIVS5p969aUjpLe--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
