gajim code execution and sql injection

Debian Bug report logs - #668038
gajim code execution and sql injection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: submit@bugs.debian.org

Subject: gajim code execution and sql injection

Date: Sun, 8 Apr 2012 15:48:33 +0200

Package: gajim
Severity: grave
Tags: security

Hi,

Two security issues were reported in gajim: one user assisted code
execution and one an SQL injection:

- https://trac.gajim.org/ticket/7031
- https://trac.gajim.org/ticket/7034

They are fixed in gajim 0.15-1, which is in unstable and I've asked the
release team to increase the urgency value so it reaches testing sooner.
Can you please verify if the version in squeeze is indeed affected by
these issues and if so, are you able to provide an updated package? If
not, please also let the security team know.


Cheers,
Thijs

Message #10 received at 668038@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 668038@bugs.debian.org

Subject: CVE names assigned

Date: Sun, 8 Apr 2012 18:41:56 +0200

Hi,

CVE-2012-2085 (code execution) and CVE-2012-2086 (sql injection) have been
assigned to this issue.Please mention them in any changelog entries.


cheers,
Thijs

Message #17 received at 668038-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 668038-close@bugs.debian.org

Subject: Bug#668038: fixed in gajim 0.13.4-3+squeeze2

Date: Mon, 16 Apr 2012 21:04:42 +0000

Source: gajim
Source-Version: 0.13.4-3+squeeze2

We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive:

gajim_0.13.4-3+squeeze2.diff.gz
  to main/g/gajim/gajim_0.13.4-3+squeeze2.diff.gz
gajim_0.13.4-3+squeeze2.dsc
  to main/g/gajim/gajim_0.13.4-3+squeeze2.dsc
gajim_0.13.4-3+squeeze2_amd64.deb
  to main/g/gajim/gajim_0.13.4-3+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gajim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 15 Apr 2012 20:35:02 +0000
Source: gajim
Binary: gajim
Architecture: source amd64
Version: 0.13.4-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Yann Leboulanger <asterix@lagaule.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 gajim      - Jabber client written in PyGTK
Closes: 668038 668710
Changes: 
 gajim (0.13.4-3+squeeze2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes the following security issues:
     - CVE-2012-2086: SQL injections via jids in logging code
     - CVE-2012-2085: assisted code execution via crafted messages due
       to insecurely processing input with popen.
     - CVE-2012-2093: insecure use of temporary files when convering LaTeX
       IM messages to png images.
     (Closes: #668710, #668038)
Checksums-Sha1: 
 fd033c276b62fd97810eddfd5a49071f96650e38 1307 gajim_0.13.4-3+squeeze2.dsc
 4320ea4f1ed82340778633f3858b05d8b48bfab8 5135705 gajim_0.13.4.orig.tar.gz
 de7ea0863800fa4338a17d80a80c506f3ed023f6 9137 gajim_0.13.4-3+squeeze2.diff.gz
 47b7a2c63c6f77b07b5ef31ac419368d3bcd82e0 4326502 gajim_0.13.4-3+squeeze2_amd64.deb
Checksums-Sha256: 
 4a90dbe1b855199df521808194f20370fa32dd2028a4ffb5c65674cfed4eca13 1307 gajim_0.13.4-3+squeeze2.dsc
 70489184ac7829b6457b2bbe213669ca43c863bc4d96454c2a787a291cc75c67 5135705 gajim_0.13.4.orig.tar.gz
 f023a0ccb52969ddff49233ba6e66c507ed7af383776c197cd731ef95c65332e 9137 gajim_0.13.4-3+squeeze2.diff.gz
 230461ecb3f5cf3362668afdc97cc2cfc1e88333c82d333c1d6814a88d7be272 4326502 gajim_0.13.4-3+squeeze2_amd64.deb
Files: 
 c8e6eefa3304c70d49bb98a96ebe36a1 1307 net optional gajim_0.13.4-3+squeeze2.dsc
 83293c88fb5398b582f2cd71015dea72 5135705 net optional gajim_0.13.4.orig.tar.gz
 562848539a5f7d3e294883e8ec6b8044 9137 net optional gajim_0.13.4-3+squeeze2.diff.gz
 8fb8bb424df9714f2931e03f8b209c18 4326502 net optional gajim_0.13.4-3+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk+LNYYACgkQHYflSXNkfP868QCgjIu1wn2MQ2w8awaaPj7GJE+9
KUEAoLNaIMkAuAh/xbnfZiAeToozuVQj
=+DGR
-----END PGP SIGNATURE-----

Message #22 received at 668038@bugs.debian.org (full text, mbox, reply):

From: Julian Taylor <jtaylor.debian@googlemail.com>

To: 668038@bugs.debian.org

Cc: Nico Golde <nion@debian.org>

Subject: regression on triggers

Date: Wed, 02 May 2012 21:12:29 +0200

[Message part 1 (text/plain, inline)]

the patch for the code execution probably contains a regression
I can't judge how severe it is or provide a testcase:

/usr/share/gajim/src/notify.py:323
command = gajim.config.get_per('notifications', str(advanced_notif_num),
        'command')
try:
        helpers.exec_command(obj.command, use_shell=True)
except Exception:
        pass


obj.command does not exist in 0.13.4, only in 0.15
it should probably be:

helpers.exec_command(command, use_shell=True)

[signature.asc (application/pgp-signature, attachment)]

Message #27 received at 668038@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Julian Taylor <jtaylor.debian@googlemail.com>

Cc: 668038@bugs.debian.org

Subject: Re: regression on triggers

Date: Wed, 2 May 2012 23:01:35 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Julian Taylor <jtaylor.debian@googlemail.com> [2012-05-02 21:17]:
> the patch for the code execution probably contains a regression
> I can't judge how severe it is or provide a testcase:
> 
> /usr/share/gajim/src/notify.py:323
> command = gajim.config.get_per('notifications', str(advanced_notif_num),
>         'command')
> try:
>         helpers.exec_command(obj.command, use_shell=True)
> except Exception:
>         pass
> 
> 
> obj.command does not exist in 0.13.4, only in 0.15
> it should probably be:
> 
> helpers.exec_command(command, use_shell=True)

Interesting. Thanks for the report! I will have to check that. When I tested 
the update the notifications in the form of popups telling me new messages 
worked.

Cheers
Nico

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 668038@bugs.debian.org (full text, mbox, reply):

From: Julian Taylor <jtaylor.debian@googlemail.com>

To: Nico Golde <nion@debian.org>

Cc: 668038@bugs.debian.org

Subject: Re: more issues

Date: Thu, 10 May 2012 21:55:47 +0200

[Message part 1 (text/plain, inline)]

On 05/02/2012 11:01 PM, Nico Golde wrote:
> Hi,

> 
> Interesting. Thanks for the report! I will have to check that. When I tested 
> the update the notifications in the form of popups telling me new messages 
> worked.
> 
> Cheers
> Nico

Tyler Hicks found some more issues with the patches:

the patch for CVE-2012-2086 is missing a definition of jid_tuple in the
else branch of hunk 654 in src/common/logger.py

the patch for CVE-2012-2085 is missing a gajim.thread_interface(p.wait)
this may not have any effect as so far I now python will not garbage
collect and kill the subprocess.

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.