Debian has issued this advisory today (April 16): http://lists.debian.org/debian-security-announce/2012/msg00083.html Cauldron is also vulnerable. This can be fixed by applying a patch or upgrading to 0.15.
CC: (none) => misc
CC: (none) => cazzaniga.sandro
Created attachment 2006 [details] gajim-0.14.4-CVE-2012-2093_CVE-2012-2086_CVE-2012-2085.patch I've rediffed the Debian patch against our version and attached it here.
Blocks: (none) => 5046
Blocks: 5046 => (none)
Patched package uploaded. Advisory: ======================== Updated raptor package fixes security vulnerabilities: Gajim is not properly sanitizing input before passing it to shell commands. An attacker can use this flaw to execute arbitrary code on behalf of the victim if the user e.g. clicks on a specially crafted URL in an instant message (CVE-2012-2085). Gajim is using predictable temporary files in an insecure manner when converting instant messages containing LaTeX to images. A local attacker can use this flaw to conduct symlink attacks and overwrite files the victim has write access to (CVE-2012-2093). Gajim is not properly sanitizing input when logging conversations which results in the possibility to conduct SQL injection attacks (CVE-2012-2086). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093 http://www.debian.org/security/2012/dsa-2453 ======================== Updated packages in core/updates_testing: ======================== gajim-0.14.4-1.1.mga1 from gajim-0.14.4-1.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Oops. Fixing the advisory. Advisory: ======================== Updated gajim package fixes security vulnerabilities: Gajim is not properly sanitizing input before passing it to shell commands. An attacker can use this flaw to execute arbitrary code on behalf of the victim if the user e.g. clicks on a specially crafted URL in an instant message (CVE-2012-2085). Gajim is using predictable temporary files in an insecure manner when converting instant messages containing LaTeX to images. A local attacker can use this flaw to conduct symlink attacks and overwrite files the victim has write access to (CVE-2012-2093). Gajim is not properly sanitizing input when logging conversations which results in the possibility to conduct SQL injection attacks (CVE-2012-2086). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093 http://www.debian.org/security/2012/dsa-2453 ======================== Updated packages in core/updates_testing: ======================== gajim-0.14.4-1.1.mga1 from gajim-0.14.4-1.1.mga1.src.rpm
Testing complete on i586 for the srpm gajim-0.14.4-1.1.mga1.src.rpm Testing using the same room as was used when testing for bug 2956.
CC: (none) => davidwhodgins
Testing x86_64 I'm not very familiar with gajim but when I try to join a room I get a python traceback. It doesn't seem to actually join the chat room. Traceback (most recent call last): File "/usr/share/gajim/src/dialogs.py", line 2373, in on_join_button_clicked gajim.interface.join_gc_room(self.account, room_jid, nickname, password) File "/usr/share/gajim/src/gui_interface.py", line 2745, in join_gc_room gajim.connections[account].join_gc(nick, room_jid, password) File "/usr/share/gajim/src/common/connection.py", line 2044, in join_gc is_room=True) File "/usr/share/gajim/src/common/logger.py", line 715, in get_last_date_that_has_logs jid_tuple) UnboundLocalError: local variable 'jid_tuple' referenced before assignment
Thanks Claire. Debian did have a regression fix after this update: http://lists.debian.org/debian-security-announce/2012/msg00084.html I looked at the patch and changed the one part of it had changed, but there were no changes to the logger.py part of the patch. Hopefully this works. gajim-0.14.4-1.2.mga1 is built.
Ahh, nevermind. Looking at the Debian bug, they've reported the same issue you found, just three days ago. It hasn't been fixed yet. See last comment: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668038
I'll assign this back to you until there is a fix David.
CC: (none) => qa-bugsAssignee: qa-bugs => luigiwalser
Version: 1 => CauldronWhiteboard: (none) => MGA2TOO, MGA1TOO
I'm sending gajim-0.15 in cauldron now (with an adapted patch).
Thanks Sandro. Debian thought it was already fixed in 0.15 and didn't still need a patch, but maybe they goofed on that too. If you're comfortable with the Cauldron build you submitted, could you build it for mga1 and mga2 updates?
Of course I can try! :)
Submitted in core/updates_testing, in 2! Now I push in 1!
OK, gajim-0.15 with adapted patch pushed in: - cauldron, core/release - 1, core/updates_testing - 2, core/updates_testing Now let the bugzilla team push it in core/updates when they want! :)
Thanks Sandro! Assigning back to QA now. Advisory: ======================== Updated gajim package fixes security vulnerabilities: Gajim is not properly sanitizing input before passing it to shell commands. An attacker can use this flaw to execute arbitrary code on behalf of the victim if the user e.g. clicks on a specially crafted URL in an instant message (CVE-2012-2085). Gajim is using predictable temporary files in an insecure manner when converting instant messages containing LaTeX to images. A local attacker can use this flaw to conduct symlink attacks and overwrite files the victim has write access to (CVE-2012-2093). Gajim is not properly sanitizing input when logging conversations which results in the possibility to conduct SQL injection attacks (CVE-2012-2086). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093 http://www.debian.org/security/2012/dsa-2453 ======================== Updated packages in core/updates_testing: ======================== gajim-0.15-1.mga1 gajim-0.15-1.mga2 from SRPMS: gajim-0.15-1.mga1.src.rpm gajim-0.15-1.mga2.src.rpm
CC: qa-bugs => luigiwalserVersion: Cauldron => 2Assignee: luigiwalser => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
It seems that we need python-Openssl to have secure connection (there is a warning at the login). Sandro/David can you add a suggest or require ?
CC: (none) => qa-bugsAssignee: qa-bugs => cazzaniga.sandro
Done.
Thanks. Don't forget Mageia 1 and Mageia 2.
I'm ready to test MGA2 64bits as soon as you give us the new SRPMs :)
CC: (none) => stormi
Hardware: i586 => All
from urpmi --debug gajim ... chosen gajim-0.15-1.mga2.i586 for gajim|gajim selecting gajim-0.15-1.mga2.i586 requiring python-sqlite2 for gajim-0.15-1.mga2.i586 selecting python-sqlite2-2.5.5-3.mga1.i586 requested gnome-python-gtkspell suggested by gajim-0.15-1.mga2.i586 selecting gnome-python-gtkspell-2.25.3-38.mga2.i586 requiring gnome-python-extras[== 2.25.3-38.mga2] for gnome-python-gtkspell-2.25.3-38.mga2.i586 chosen gnome-python-extras-2.25.3-38.mga2.i586 for gnome-python-extras[== 2.25.3-38.mga2] the more recent gnome-python-extras-2.25.3-38.1.mga2.i586 is installed, but does not provide gnome-python-extras[== 2.25.3-38.mga2] whereas gnome-python-extras-2.25.3-38.mga2.i586 does selecting gnome-python-extras-2.25.3-38.mga2.i586 unselecting gnome-python-extras-2.25.3-38.mga2.i586 unselecting gnome-python-gtkspell-2.25.3-38.mga2.i586 The following package cannot be installed because it depends on packages that are older than the installed ones: gnome-python-gtkspell-2.25.3-38.mga2
Please look at the bottom of this mail to see whether you're the assignee of this bug, if you don't already know whether you are. If you're the assignee: We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead. If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard. Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why. Thanks :) **************************** @ the reporter and persons in the cc of this bug: If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us. @ the reporter of this bug If you didn't reply yet to a request for more information, please do so within two weeks from now. Thanks all :-D
Requires on python-OpenSSL added. Rebuilt for Mageia 1 and Mageia 2. Advisory: ======================== Updated gajim package fixes security vulnerabilities: Gajim is not properly sanitizing input before passing it to shell commands. An attacker can use this flaw to execute arbitrary code on behalf of the victim if the user e.g. clicks on a specially crafted URL in an instant message (CVE-2012-2085). Gajim is using predictable temporary files in an insecure manner when converting instant messages containing LaTeX to images. A local attacker can use this flaw to conduct symlink attacks and overwrite files the victim has write access to (CVE-2012-2093). Gajim is not properly sanitizing input when logging conversations which results in the possibility to conduct SQL injection attacks (CVE-2012-2086). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093 http://www.debian.org/security/2012/dsa-2453 ======================== Updated packages in core/updates_testing: ======================== gajim-0.15-1.1.mga1 gajim-0.15-1.1.mga2 from SRPMS: gajim-0.15-1.1.mga1.src.rpm gajim-0.15-1.1.mga2.src.rpm
Assignee: cazzaniga.sandro => qa-bugs
Ok for me on mga1, the updates will require a link to python-OpenSSL I guess
Whiteboard: MGA1TOO => MGA1TOO, mga1-64-OK,
Not sure what the problem was in comment 19, but it's installed ok now. Testing complete on Mageia 2 i586. Set up an account at internet-exception.de, connected, got the welcome message. The depcheck script confirms The following packages will require linking: python-OpenSSL-0.12-1.mga2 (Core Release (distrib1))
Testing complete on Mageia 2 i586.
Whiteboard: MGA1TOO, mga1-64-OK, => MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK
Testing complete mga2 64 Validating Please see comment 21 for advisory and srpm's for mga1 & 2 This is affected by bug 2317 so adding a depends python-OpenSSL-0.12-1.mga2 and python-OpenSSL-0.11-1.mga1 will need linking to updates. Could sysadmin please push from core/updates_testing to core/updates and do the links. Thanks!
Depends on: (none) => 2317Whiteboard: MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK => MGA1TOO, mga1-64-OK, MGA1-32-OK, MGA2-32-OK mga2-64
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0161
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED