Mageia Bugzilla – Attachment 2006 Details for
Bug 5432
gajim new security issues CVE-2012-2093. CVE-2012-2086, CVE-2012-2085
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
gajim-0.14.4-CVE-2012-2093_CVE-2012-2086_CVE-2012-2085.patch
gajim-0.14.4-CVE-2012-2093_CVE-2012-2086_CVE-2012-2085.patch (text/plain), 11.02 KB, created by
David Walser
on 2012-04-17 02:55:53 CEST
(
hide
)
Description:
gajim-0.14.4-CVE-2012-2093_CVE-2012-2086_CVE-2012-2085.patch
Filename:
MIME Type:
Creator:
David Walser
Created:
2012-04-17 02:55:53 CEST
Size:
11.02 KB
patch
obsolete
>diff -uNr gajim-0.14.4.orig/src/common/helpers.py gajim-0.14.4/src/common/helpers.py >--- gajim-0.14.4.orig/src/common/helpers.py 2011-05-31 12:00:32.000000000 -0400 >+++ gajim-0.14.4/src/common/helpers.py 2012-04-16 20:23:16.437187596 -0400 >@@ -39,6 +39,7 @@ > import select > import base64 > import hashlib >+import shlex > import caps_cache > > from encodings.punycode import punycode_encode >@@ -372,8 +373,17 @@ > pass > return False > >-def exec_command(command): >- subprocess.Popen('%s &' % command, shell=True).wait() >+def exec_command(command, use_shell=False): >+ """ >+ execute a command. if use_shell is True, we run the command as is it was >+ typed in a console. So it may be dangerous if you are not sure about what >+ is executed. >+ """ >+ if use_shell: >+ subprocess.Popen('%s &' % command, shell=True).wait() >+ else: >+ args = shlex.split(command.encode('utf-8')) >+ p = subprocess.Popen(args) > > def build_command(executable, parameter): > # we add to the parameter (can hold path with spaces) >diff -uNr gajim-0.14.4.orig/src/common/latex.py gajim-0.14.4/src/common/latex.py >--- gajim-0.14.4.orig/src/common/latex.py 2010-07-27 05:47:45.000000000 -0400 >+++ gajim-0.14.4/src/common/latex.py 2012-04-16 20:29:01.757075979 -0400 >@@ -29,7 +29,7 @@ > > import os > import random >-from tempfile import gettempdir >+from tempfile import gettempdir,mkstemp,mkdtemp > from subprocess import Popen, PIPE > > import logging >@@ -57,10 +57,10 @@ > return True > return False > >-def get_tmpfile_name(): >+def get_tmpfile_name(tmpdir): > random.seed() > int_ = random.randint(0, 100) >- return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__()) >+ return os.path.join(tmpdir, 'gajimtex_' + int_.__str__()) > > def write_latex(filename, str_): > texstr = '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}' >@@ -78,12 +78,12 @@ > # a wrapper for Popen so that no window gets opened on Windows > # (i think this is the reason we're using Popen rather than just system()) > # stdout goes to a pipe so that it can be read >-def popen_nt_friendly(command): >+def popen_nt_friendly(command, directory): > if os.name == 'nt': > # CREATE_NO_WINDOW >- return Popen(command, creationflags=0x08000000, cwd=gettempdir(), stdout=PIPE) >+ return Popen(command, creationflags=0x08000000, cwd=directory, stdout=PIPE) > else: >- return Popen(command, cwd=gettempdir(), stdout=PIPE) >+ return Popen(command, cwd=directory, stdout=PIPE) > > def check_for_latex_support(): > """ >@@ -99,9 +99,9 @@ > except LatexError: > return False > >-def try_run(argv): >+def try_run(argv, directory): > try: >- p = popen_nt_friendly(argv) >+ p = popen_nt_friendly(argv, directory) > out = p.communicate()[0] > log.info(out) > return p.wait() >@@ -126,21 +126,29 @@ > # we triggered the blacklist, immediately return None > return None > >- tmpfile = get_tmpfile_name() >+ tmpdir = "" >+ tmppng = "" >+ try: >+ tmpdir = mkdtemp(prefix="gajim") >+ tmppng = mkstemp(suffix=".png")[1] >+ except Exception: >+ raise LatexError("could not securely create one or more temporary files for LaTeX conversion") >+ >+ tmpfile = get_tmpfile_name(tmpdir) > > # build latex string > write_latex(os.path.join(tmpfile + '.tex'), str_) > > # convert TeX to dvi > exitcode = try_run(['latex', '--interaction=nonstopmode', >- tmpfile + '.tex']) >+ tmpfile + '.tex'], tmpdir) > > if exitcode == 0: > # convert dvi to png > latex_png_dpi = gajim.config.get('latex_png_dpi') > exitcode = try_run(['dvipng', '-bg', bg_str, '-fg', fg_str, '-T', > 'tight', '-D', latex_png_dpi, tmpfile + '.dvi', '-o', >- tmpfile + '.png']) >+ tmpfile + '.png'], tmpdir) > > # remove temp files created by us and TeX > extensions = ['.tex', '.log', '.aux', '.dvi'] >@@ -150,10 +158,12 @@ > except Exception: > pass > >+ os.rename(tmpfile + '.png', tmppng) >+ os.rmdir(tmpdir) > if isinstance(exitcode, (unicode, str)): > raise LatexError(exitcode) > > if exitcode == 0: >- result = tmpfile + '.png' >+ result = tmppng > > return result >diff -uNr gajim-0.14.4.orig/src/common/logger.py gajim-0.14.4/src/common/logger.py >--- gajim-0.14.4.orig/src/common/logger.py 2010-07-27 05:47:45.000000000 -0400 >+++ gajim-0.14.4/src/common/logger.py 2012-04-16 20:43:14.674477396 -0400 >@@ -563,7 +563,7 @@ > except exceptions.PysqliteOperationalError, e: > # Error trying to create a new jid_id. This means there is no log > return [] >- where_sql = self._build_contact_where(account, jid) >+ where_sql, jid_tuple = self._build_contact_where(account, jid) > > now = int(float(time.time())) > timed_out = now - (timeout * 60) # before that they are too old >@@ -575,10 +575,9 @@ > WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d > ORDER BY time DESC LIMIT %d OFFSET %d > ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV, >- constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, >- constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, >- timed_out, restore_how_many_rows, pending_how_many) >- ) >+ constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, >+ constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out, >+ restore_how_many_rows, pending_how_many), jid_tuple) > > results = self.cur.fetchall() > except sqlite.DatabaseError: >@@ -608,7 +607,7 @@ > except exceptions.PysqliteOperationalError, e: > # Error trying to create a new jid_id. This means there is no log > return [] >- where_sql = self._build_contact_where(account, jid) >+ where_sql, jid_tuple = self._build_contact_where(account, jid) > > start_of_day = self.get_unix_time_from_date(year, month, day) > seconds_in_a_day = 86400 # 60 * 60 * 24 >@@ -619,7 +618,7 @@ > WHERE (%s) > AND time BETWEEN %d AND %d > ORDER BY time >- ''' % (where_sql, start_of_day, last_second_of_day)) >+ ''' % (where_sql, start_of_day, last_second_of_day), jid_tuple) > > results = self.cur.fetchall() > return results >@@ -645,13 +644,13 @@ > return results > > else: # user just typed something, we search in message column >- where_sql = self._build_contact_where(account, jid) >+ where_sql, jid_tuple = self._build_contact_where(account, jid) > like_sql = '%' + query.replace("'", "''") + '%' > self.cur.execute(''' > SELECT contact_name, time, kind, show, message, subject FROM logs > WHERE (%s) AND message LIKE '%s' > ORDER BY time >- ''' % (where_sql, like_sql)) >+ ''' % (where_sql, like_sql), jid_tuple) > > results = self.cur.fetchall() > return results >@@ -666,7 +665,7 @@ > # Error trying to create a new jid_id. This means there is no log > return [] > days_with_logs = [] >- where_sql = self._build_contact_where(account, jid) >+ where_sql, jid_tuple = self._build_contact_where(account, jid) > > # First select all date of month whith logs we want > start_of_month = self.get_unix_time_from_date(year, month, 1) >@@ -684,7 +683,7 @@ > AND kind NOT IN (%d, %d) > ORDER BY time > ''' % (where_sql, start_of_month, last_second_of_month, >- constants.KIND_STATUS, constants.KIND_GCSTATUS)) >+ constants.KIND_STATUS, constants.KIND_GCSTATUS), jid_tuple) > result = self.cur.fetchall() > > # convert timestamps to day of month >@@ -700,19 +699,20 @@ > """ > where_sql = '' > if not is_room: >- where_sql = self._build_contact_where(account, jid) >+ where_sql, jid_tuple = self._build_contact_where(account, jid) > else: > try: > jid_id = self.get_jid_id(jid, 'ROOM') > except exceptions.PysqliteOperationalError, e: > # Error trying to create a new jid_id. This means there is no log > return None >- where_sql = 'jid_id = %s' % jid_id >+ where_sql = 'jid_id = ?' > self.cur.execute(''' > SELECT MAX(time) FROM logs > WHERE (%s) > AND kind NOT IN (%d, %d) >- ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS)) >+ ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS), >+ jid_tuple) > > results = self.cur.fetchone() > if results is not None: >@@ -731,11 +731,13 @@ > except exceptions.PysqliteOperationalError, e: > # Error trying to create a new jid_id. This means there is no log > return None >- where_sql = 'jid_id = %s' % jid_id >+ where_sql = 'jid_id = ?' >+ jid_tuple = (jid_id,) >+ > self.cur.execute(''' > SELECT time FROM rooms_last_message_time > WHERE (%s) >- ''' % (where_sql)) >+ ''' % (where_sql), jid_tuple) > > results = self.cur.fetchone() > if results is not None: >@@ -760,6 +762,7 @@ > Build the where clause for a jid, including metacontacts jid(s) if any > """ > where_sql = '' >+ jid_tuple = () > # will return empty list if jid is not associated with > # any metacontacts > family = gajim.contacts.get_metacontacts_family(account, jid) >@@ -769,13 +772,15 @@ > jid_id = self.get_jid_id(user['jid']) > except exceptions.PysqliteOperationalError, e: > continue >- where_sql += 'jid_id = %s' % jid_id >+ where_sql += 'jid_id = ?' >+ jid_tuple += (jid_id,) > if user != family[-1]: > where_sql += ' OR ' > else: # if jid was not associated with metacontacts > jid_id = self.get_jid_id(jid) >- where_sql = 'jid_id = %s' % jid_id >- return where_sql >+ where_sql = 'jid_id = ?' >+ jid_tuple += (jid_id,) >+ return where_sql,jid_tuple > > def save_transport_type(self, jid, type_): > """ >diff -uNr gajim-0.14.4.orig/src/notify.py gajim-0.14.4/src/notify.py >--- gajim-0.14.4.orig/src/notify.py 2011-05-31 12:00:32.000000000 -0400 >+++ gajim-0.14.4/src/notify.py 2012-04-16 20:39:44.373749254 -0400 >@@ -313,7 +313,7 @@ > command = gajim.config.get_per('notifications', str(advanced_notif_num), > 'command') > try: >- helpers.exec_command(command) >+ helpers.exec_command(obj.command, use_shell=True) > except Exception: > pass >
diff -uNr gajim-0.14.4.orig/src/common/helpers.py gajim-0.14.4/src/common/helpers.py --- gajim-0.14.4.orig/src/common/helpers.py 2011-05-31 12:00:32.000000000 -0400 +++ gajim-0.14.4/src/common/helpers.py 2012-04-16 20:23:16.437187596 -0400 @@ -39,6 +39,7 @@ import select import base64 import hashlib +import shlex import caps_cache from encodings.punycode import punycode_encode @@ -372,8 +373,17 @@ pass return False -def exec_command(command): - subprocess.Popen('%s &' % command, shell=True).wait() +def exec_command(command, use_shell=False): + """ + execute a command. if use_shell is True, we run the command as is it was + typed in a console. So it may be dangerous if you are not sure about what + is executed. + """ + if use_shell: + subprocess.Popen('%s &' % command, shell=True).wait() + else: + args = shlex.split(command.encode('utf-8')) + p = subprocess.Popen(args) def build_command(executable, parameter): # we add to the parameter (can hold path with spaces) diff -uNr gajim-0.14.4.orig/src/common/latex.py gajim-0.14.4/src/common/latex.py --- gajim-0.14.4.orig/src/common/latex.py 2010-07-27 05:47:45.000000000 -0400 +++ gajim-0.14.4/src/common/latex.py 2012-04-16 20:29:01.757075979 -0400 @@ -29,7 +29,7 @@ import os import random -from tempfile import gettempdir +from tempfile import gettempdir,mkstemp,mkdtemp from subprocess import Popen, PIPE import logging @@ -57,10 +57,10 @@ return True return False -def get_tmpfile_name(): +def get_tmpfile_name(tmpdir): random.seed() int_ = random.randint(0, 100) - return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__()) + return os.path.join(tmpdir, 'gajimtex_' + int_.__str__()) def write_latex(filename, str_): texstr = '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}' @@ -78,12 +78,12 @@ # a wrapper for Popen so that no window gets opened on Windows # (i think this is the reason we're using Popen rather than just system()) # stdout goes to a pipe so that it can be read -def popen_nt_friendly(command): +def popen_nt_friendly(command, directory): if os.name == 'nt': # CREATE_NO_WINDOW - return Popen(command, creationflags=0x08000000, cwd=gettempdir(), stdout=PIPE) + return Popen(command, creationflags=0x08000000, cwd=directory, stdout=PIPE) else: - return Popen(command, cwd=gettempdir(), stdout=PIPE) + return Popen(command, cwd=directory, stdout=PIPE) def check_for_latex_support(): """ @@ -99,9 +99,9 @@ except LatexError: return False -def try_run(argv): +def try_run(argv, directory): try: - p = popen_nt_friendly(argv) + p = popen_nt_friendly(argv, directory) out = p.communicate()[0] log.info(out) return p.wait() @@ -126,21 +126,29 @@ # we triggered the blacklist, immediately return None return None - tmpfile = get_tmpfile_name() + tmpdir = "" + tmppng = "" + try: + tmpdir = mkdtemp(prefix="gajim") + tmppng = mkstemp(suffix=".png")[1] + except Exception: + raise LatexError("could not securely create one or more temporary files for LaTeX conversion") + + tmpfile = get_tmpfile_name(tmpdir) # build latex string write_latex(os.path.join(tmpfile + '.tex'), str_) # convert TeX to dvi exitcode = try_run(['latex', '--interaction=nonstopmode', - tmpfile + '.tex']) + tmpfile + '.tex'], tmpdir) if exitcode == 0: # convert dvi to png latex_png_dpi = gajim.config.get('latex_png_dpi') exitcode = try_run(['dvipng', '-bg', bg_str, '-fg', fg_str, '-T', 'tight', '-D', latex_png_dpi, tmpfile + '.dvi', '-o', - tmpfile + '.png']) + tmpfile + '.png'], tmpdir) # remove temp files created by us and TeX extensions = ['.tex', '.log', '.aux', '.dvi'] @@ -150,10 +158,12 @@ except Exception: pass + os.rename(tmpfile + '.png', tmppng) + os.rmdir(tmpdir) if isinstance(exitcode, (unicode, str)): raise LatexError(exitcode) if exitcode == 0: - result = tmpfile + '.png' + result = tmppng return result diff -uNr gajim-0.14.4.orig/src/common/logger.py gajim-0.14.4/src/common/logger.py --- gajim-0.14.4.orig/src/common/logger.py 2010-07-27 05:47:45.000000000 -0400 +++ gajim-0.14.4/src/common/logger.py 2012-04-16 20:43:14.674477396 -0400 @@ -563,7 +563,7 @@ except exceptions.PysqliteOperationalError, e: # Error trying to create a new jid_id. This means there is no log return [] - where_sql = self._build_contact_where(account, jid) + where_sql, jid_tuple = self._build_contact_where(account, jid) now = int(float(time.time())) timed_out = now - (timeout * 60) # before that they are too old @@ -575,10 +575,9 @@ WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d ORDER BY time DESC LIMIT %d OFFSET %d ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV, - constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, - constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, - timed_out, restore_how_many_rows, pending_how_many) - ) + constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, + constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out, + restore_how_many_rows, pending_how_many), jid_tuple) results = self.cur.fetchall() except sqlite.DatabaseError: @@ -608,7 +607,7 @@ except exceptions.PysqliteOperationalError, e: # Error trying to create a new jid_id. This means there is no log return [] - where_sql = self._build_contact_where(account, jid) + where_sql, jid_tuple = self._build_contact_where(account, jid) start_of_day = self.get_unix_time_from_date(year, month, day) seconds_in_a_day = 86400 # 60 * 60 * 24 @@ -619,7 +618,7 @@ WHERE (%s) AND time BETWEEN %d AND %d ORDER BY time - ''' % (where_sql, start_of_day, last_second_of_day)) + ''' % (where_sql, start_of_day, last_second_of_day), jid_tuple) results = self.cur.fetchall() return results @@ -645,13 +644,13 @@ return results else: # user just typed something, we search in message column - where_sql = self._build_contact_where(account, jid) + where_sql, jid_tuple = self._build_contact_where(account, jid) like_sql = '%' + query.replace("'", "''") + '%' self.cur.execute(''' SELECT contact_name, time, kind, show, message, subject FROM logs WHERE (%s) AND message LIKE '%s' ORDER BY time - ''' % (where_sql, like_sql)) + ''' % (where_sql, like_sql), jid_tuple) results = self.cur.fetchall() return results @@ -666,7 +665,7 @@ # Error trying to create a new jid_id. This means there is no log return [] days_with_logs = [] - where_sql = self._build_contact_where(account, jid) + where_sql, jid_tuple = self._build_contact_where(account, jid) # First select all date of month whith logs we want start_of_month = self.get_unix_time_from_date(year, month, 1) @@ -684,7 +683,7 @@ AND kind NOT IN (%d, %d) ORDER BY time ''' % (where_sql, start_of_month, last_second_of_month, - constants.KIND_STATUS, constants.KIND_GCSTATUS)) + constants.KIND_STATUS, constants.KIND_GCSTATUS), jid_tuple) result = self.cur.fetchall() # convert timestamps to day of month @@ -700,19 +699,20 @@ """ where_sql = '' if not is_room: - where_sql = self._build_contact_where(account, jid) + where_sql, jid_tuple = self._build_contact_where(account, jid) else: try: jid_id = self.get_jid_id(jid, 'ROOM') except exceptions.PysqliteOperationalError, e: # Error trying to create a new jid_id. This means there is no log return None - where_sql = 'jid_id = %s' % jid_id + where_sql = 'jid_id = ?' self.cur.execute(''' SELECT MAX(time) FROM logs WHERE (%s) AND kind NOT IN (%d, %d) - ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS)) + ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS), + jid_tuple) results = self.cur.fetchone() if results is not None: @@ -731,11 +731,13 @@ except exceptions.PysqliteOperationalError, e: # Error trying to create a new jid_id. This means there is no log return None - where_sql = 'jid_id = %s' % jid_id + where_sql = 'jid_id = ?' + jid_tuple = (jid_id,) + self.cur.execute(''' SELECT time FROM rooms_last_message_time WHERE (%s) - ''' % (where_sql)) + ''' % (where_sql), jid_tuple) results = self.cur.fetchone() if results is not None: @@ -760,6 +762,7 @@ Build the where clause for a jid, including metacontacts jid(s) if any """ where_sql = '' + jid_tuple = () # will return empty list if jid is not associated with # any metacontacts family = gajim.contacts.get_metacontacts_family(account, jid) @@ -769,13 +772,15 @@ jid_id = self.get_jid_id(user['jid']) except exceptions.PysqliteOperationalError, e: continue - where_sql += 'jid_id = %s' % jid_id + where_sql += 'jid_id = ?' + jid_tuple += (jid_id,) if user != family[-1]: where_sql += ' OR ' else: # if jid was not associated with metacontacts jid_id = self.get_jid_id(jid) - where_sql = 'jid_id = %s' % jid_id - return where_sql + where_sql = 'jid_id = ?' + jid_tuple += (jid_id,) + return where_sql,jid_tuple def save_transport_type(self, jid, type_): """ diff -uNr gajim-0.14.4.orig/src/notify.py gajim-0.14.4/src/notify.py --- gajim-0.14.4.orig/src/notify.py 2011-05-31 12:00:32.000000000 -0400 +++ gajim-0.14.4/src/notify.py 2012-04-16 20:39:44.373749254 -0400 @@ -313,7 +313,7 @@ command = gajim.config.get_per('notifications', str(advanced_notif_num), 'command') try: - helpers.exec_command(command) + helpers.exec_command(obj.command, use_shell=True) except Exception: pass
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 5432
: 2006