zhcon -- unauthorized file access

Martin Joey Schulze reports:

Erik Sjöund discovered that zhcon, a fast console CJK system using the Linux framebuffer, accesses a user-controlled configuration file with elevated privileges. Thus, it is possible to read arbitrary files.

When installed from the FreeBSD Ports Collection, zhcon is installed set-user-ID root.