Debian Bug report logs -
#668038
gajim code execution and sql injection
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Sun, 8 Apr 2012 13:51:02 UTC
Severity: grave
Tags: security
Fixed in versions gajim/0.15-1, gajim/0.13.4-3+squeeze2
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>
:
Bug#668038
; Package gajim
.
(Sun, 08 Apr 2012 13:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Yann Leboulanger <asterix@lagaule.org>
.
(Sun, 08 Apr 2012 13:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gajim
Severity: grave
Tags: security
Hi,
Two security issues were reported in gajim: one user assisted code
execution and one an SQL injection:
- https://trac.gajim.org/ticket/7031
- https://trac.gajim.org/ticket/7034
They are fixed in gajim 0.15-1, which is in unstable and I've asked the
release team to increase the urgency value so it reaches testing sooner.
Can you please verify if the version in squeeze is indeed affected by
these issues and if so, are you able to provide an updated package? If
not, please also let the security team know.
Cheers,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>
:
Bug#668038
; Package gajim
.
(Sun, 08 Apr 2012 16:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>
.
(Sun, 08 Apr 2012 16:45:05 GMT) (full text, mbox, link).
Message #10 received at 668038@bugs.debian.org (full text, mbox, reply):
Hi,
CVE-2012-2085 (code execution) and CVE-2012-2086 (sql injection) have been
assigned to this issue.Please mention them in any changelog entries.
cheers,
Thijs
Marked as fixed in versions gajim/0.15-1.
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org
.
(Tue, 10 Apr 2012 06:21:02 GMT) (full text, mbox, link).
Reply sent
to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(Mon, 16 Apr 2012 21:09:04 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Bug acknowledged by developer.
(Mon, 16 Apr 2012 21:09:05 GMT) (full text, mbox, link).
Message #17 received at 668038-close@bugs.debian.org (full text, mbox, reply):
Source: gajim
Source-Version: 0.13.4-3+squeeze2
We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive:
gajim_0.13.4-3+squeeze2.diff.gz
to main/g/gajim/gajim_0.13.4-3+squeeze2.diff.gz
gajim_0.13.4-3+squeeze2.dsc
to main/g/gajim/gajim_0.13.4-3+squeeze2.dsc
gajim_0.13.4-3+squeeze2_amd64.deb
to main/g/gajim/gajim_0.13.4-3+squeeze2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 668038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gajim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 15 Apr 2012 20:35:02 +0000
Source: gajim
Binary: gajim
Architecture: source amd64
Version: 0.13.4-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Yann Leboulanger <asterix@lagaule.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
gajim - Jabber client written in PyGTK
Closes: 668038 668710
Changes:
gajim (0.13.4-3+squeeze2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update fixes the following security issues:
- CVE-2012-2086: SQL injections via jids in logging code
- CVE-2012-2085: assisted code execution via crafted messages due
to insecurely processing input with popen.
- CVE-2012-2093: insecure use of temporary files when convering LaTeX
IM messages to png images.
(Closes: #668710, #668038)
Checksums-Sha1:
fd033c276b62fd97810eddfd5a49071f96650e38 1307 gajim_0.13.4-3+squeeze2.dsc
4320ea4f1ed82340778633f3858b05d8b48bfab8 5135705 gajim_0.13.4.orig.tar.gz
de7ea0863800fa4338a17d80a80c506f3ed023f6 9137 gajim_0.13.4-3+squeeze2.diff.gz
47b7a2c63c6f77b07b5ef31ac419368d3bcd82e0 4326502 gajim_0.13.4-3+squeeze2_amd64.deb
Checksums-Sha256:
4a90dbe1b855199df521808194f20370fa32dd2028a4ffb5c65674cfed4eca13 1307 gajim_0.13.4-3+squeeze2.dsc
70489184ac7829b6457b2bbe213669ca43c863bc4d96454c2a787a291cc75c67 5135705 gajim_0.13.4.orig.tar.gz
f023a0ccb52969ddff49233ba6e66c507ed7af383776c197cd731ef95c65332e 9137 gajim_0.13.4-3+squeeze2.diff.gz
230461ecb3f5cf3362668afdc97cc2cfc1e88333c82d333c1d6814a88d7be272 4326502 gajim_0.13.4-3+squeeze2_amd64.deb
Files:
c8e6eefa3304c70d49bb98a96ebe36a1 1307 net optional gajim_0.13.4-3+squeeze2.dsc
83293c88fb5398b582f2cd71015dea72 5135705 net optional gajim_0.13.4.orig.tar.gz
562848539a5f7d3e294883e8ec6b8044 9137 net optional gajim_0.13.4-3+squeeze2.diff.gz
8fb8bb424df9714f2931e03f8b209c18 4326502 net optional gajim_0.13.4-3+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk+LNYYACgkQHYflSXNkfP868QCgjIu1wn2MQ2w8awaaPj7GJE+9
KUEAoLNaIMkAuAh/xbnfZiAeToozuVQj
=+DGR
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>
:
Bug#668038
; Package gajim
.
(Wed, 02 May 2012 19:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Julian Taylor <jtaylor.debian@googlemail.com>
:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>
.
(Wed, 02 May 2012 19:15:09 GMT) (full text, mbox, link).
Message #22 received at 668038@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
the patch for the code execution probably contains a regression
I can't judge how severe it is or provide a testcase:
/usr/share/gajim/src/notify.py:323
command = gajim.config.get_per('notifications', str(advanced_notif_num),
'command')
try:
helpers.exec_command(obj.command, use_shell=True)
except Exception:
pass
obj.command does not exist in 0.13.4, only in 0.15
it should probably be:
helpers.exec_command(command, use_shell=True)
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>
:
Bug#668038
; Package gajim
.
(Wed, 02 May 2012 21:03:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>
.
(Wed, 02 May 2012 21:03:22 GMT) (full text, mbox, link).
Message #27 received at 668038@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Julian Taylor <jtaylor.debian@googlemail.com> [2012-05-02 21:17]:
> the patch for the code execution probably contains a regression
> I can't judge how severe it is or provide a testcase:
>
> /usr/share/gajim/src/notify.py:323
> command = gajim.config.get_per('notifications', str(advanced_notif_num),
> 'command')
> try:
> helpers.exec_command(obj.command, use_shell=True)
> except Exception:
> pass
>
>
> obj.command does not exist in 0.13.4, only in 0.15
> it should probably be:
>
> helpers.exec_command(command, use_shell=True)
Interesting. Thanks for the report! I will have to check that. When I tested
the update the notifications in the form of popups telling me new messages
worked.
Cheers
Nico
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>
:
Bug#668038
; Package gajim
.
(Thu, 10 May 2012 19:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julian Taylor <jtaylor.debian@googlemail.com>
:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>
.
(Thu, 10 May 2012 19:57:03 GMT) (full text, mbox, link).
Message #32 received at 668038@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 05/02/2012 11:01 PM, Nico Golde wrote:
> Hi,
>
> Interesting. Thanks for the report! I will have to check that. When I tested
> the update the notifications in the form of popups telling me new messages
> worked.
>
> Cheers
> Nico
Tyler Hicks found some more issues with the patches:
the patch for CVE-2012-2086 is missing a definition of jid_tuple in the
else branch of hunk 654 in src/common/logger.py
the patch for CVE-2012-2085 is missing a gajim.thread_interface(p.wait)
this may not have any effect as so far I now python will not garbage
collect and kill the subprocess.
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 08 Jun 2012 07:39:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:25:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.