Bug 9593 - gajim new security issue CVE-2012-5524
: gajim new security issue CVE-2012-5524
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/545435/
: has_procedure mga2-32-ok mga2-64-OK
: validated_update
: 2317
:
  Show dependency treegraph
 
Reported: 2013-04-02 20:59 CEST by David Walser
Modified: 2013-04-06 15:23 CEST (History)
2 users (show)

See Also:
Source RPM: gajim-0.15.1-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-04-02 20:59:07 CEST
Fedora has issued an advisory on March 21:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/101107.html

This is fixed upstream in 0.15.3.

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-02 21:02:47 CEST
Freeze push requested for Cauldron.

Patch added to Mageia 2 SVN and Mageia 1 SVN.
Comment 2 David Walser 2013-04-02 22:27:46 CEST
Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 2.

Assigning to QA.

Note to QA: Reproducer here:
https://bugzilla.redhat.com/show_bug.cgi?id=875809

Advisory:
========================

Updated gajim package fixes security vulnerability:

A security flaw was found in the way Gajim before 0.15.3 performed verification
of invalid (broken / expired) x.509v3 SSL certificates (True as return value
was returned always regardless if error during certificate validation occurred
or not). A rogue XMPP server could use this flaw to conduct man-in-the-middle
attack (MiTM) and trick Gajim client to accept the certificate even when it was
invalid / should not be accepted (CVE-2012-5524).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5524
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/101107.html
========================

Updated packages in core/updates_testing:
========================
gajim-0.15-1.2.mga2

from gajim-0.15-1.2.mga2.src.rpm
Comment 3 claire robinson 2013-04-04 16:54:46 CEST
Reproducer needs an XMPP server with expired certificate and alterations to the source so just checking for regressions.

Testing complete mga2 32
Comment 4 claire robinson 2013-04-05 15:11:47 CEST
Having problems x86_64

I've tried with 2 different jabber servers comm.unicate.me and jabber.org but unable to connect.

Glib errors followed by a traceback and then pages of the same glib error when the mouse is moved onto the gajim window. It's difficult to catch the traceback before it's scrolled away. The traceback seems to recur when the connection fails.

Reinstalling the previous version allows it to connect again so some problem with the update. I'll check i586 again to see if I can reproduce the error there too.

(gajim:25140): GLib-GObject-CRITICAL **: g_object_set_qdata: assertion `G_IS_OBJECT (object)' failed
Traceback (most recent call last):
  File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 533, in _process_events
    return IdleQueue._process_events(self, fd, flags)
  File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 394, in _process_events
    obj.pollin()
  File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 414, in pollin
    self._do_receive()
  File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 600, in _do_receive
    self._on_receive(received)
  File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 614, in _on_receive
    self.on_receive(data)
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 308, in <lambda>
    self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data))
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 359, in _xmpp_connect_machine
    self._xmpp_connect_machine(mode='STREAM_STARTED')
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 362, in _xmpp_connect_machine
    self._on_stream_start()
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 398, in _on_stream_start
    self._on_connect()
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 435, in _on_connect
    self.on_connect(self, self.connected)
  File "/usr/share/gajim/src/common/connection.py", line 1265, in _connect_success
    return self.connection_accepted(con, con_type)
  File "/usr/share/gajim/src/common/connection.py", line 1296, in connection_accepted
    for er in errnum:
TypeError: 'int' object is not iterable

(gajim:25140): GLib-GObject-CRITICAL **: g_object_set_qdata: assertion `G_IS_OBJECT (object)' failed
Comment 5 claire robinson 2013-04-05 15:29:54 CEST
Reproduced i586 so I must have made a mistake previously

Traceback (most recent call last):
  File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 533, in _process_events
    return IdleQueue._process_events(self, fd, flags)
  File "/usr/share/gajim/src/common/xmpp/idlequeue.py", line 394, in _process_events
    obj.pollin()
  File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 414, in pollin
    self._do_receive()
  File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 600, in _do_receive
    self._on_receive(received)
  File "/usr/share/gajim/src/common/xmpp/transports_nb.py", line 614, in _on_receive
    self.on_receive(data)
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 308, in <lambda>
    self.onreceive(lambda _data:self._xmpp_connect_machine(mode, _data))
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 343, in _xmpp_connect_machine
    self._xmpp_connect_machine(mode='STREAM_STARTED')
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 362, in _xmpp_connect_machine
    self._on_stream_start()
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 398, in _on_stream_start
    self._on_connect()
  File "/usr/share/gajim/src/common/xmpp/client_nb.py", line 435, in _on_connect
    self.on_connect(self, self.connected)
  File "/usr/share/gajim/src/common/connection.py", line 1265, in _connect_success
    return self.connection_accepted(con, con_type)
  File "/usr/share/gajim/src/common/connection.py", line 1296, in connection_accepted
    for er in errnum:
TypeError: 'int' object is not iterable
Comment 6 David Walser 2013-04-05 15:58:59 CEST
Thanks Claire.

IIRC, the same thing happened the first time we tried to patch this for a Mageia 1 update, and we just had to update it to a newer version.  I've updated it to 0.15.3.

Advisory:
========================

Updated gajim package fixes security vulnerability:

A security flaw was found in the way Gajim before 0.15.3 performed verification
of invalid (broken / expired) x.509v3 SSL certificates (True as return value
was returned always regardless if error during certificate validation occurred
or not). A rogue XMPP server could use this flaw to conduct man-in-the-middle
attack (MiTM) and trick Gajim client to accept the certificate even when it was
invalid / should not be accepted (CVE-2012-5524).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5524
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/101107.html
========================

Updated packages in core/updates_testing:
========================
gajim-0.15.3-1.mga2

from gajim-0.15.3-1.mga2.src.rpm
Comment 7 claire robinson 2013-04-05 17:28:58 CEST
Testing complete mga2 32

I noticed a warning in coloured text fly past though as it started up and connected.

(W) gajim.c.check_X509 Import of PyOpenSSL or pyasn1 failed. Cannot correctly check SSL certificate

It seems to need pyasn1 (https://bugzilla.redhat.com/show_bug.cgi?id=826737)

In Help => Features it shows being not able to validate ssl certificates.

Installing pyasn1 and restarting gajim cleared the warning and shows validating certificates is now possible.

It connects and works fine, no regressions noticed.
Comment 8 David Walser 2013-04-05 17:50:28 CEST
OK, that Requires should really be added, so I added it.  Thanks again Claire.

pyasn1 will probably need linked because of the added requires.

Advisory:
========================

Updated gajim package fixes security vulnerability:

A security flaw was found in the way Gajim before 0.15.3 performed verification
of invalid (broken / expired) x.509v3 SSL certificates (True as return value
was returned always regardless if error during certificate validation occurred
or not). A rogue XMPP server could use this flaw to conduct man-in-the-middle
attack (MiTM) and trick Gajim client to accept the certificate even when it was
invalid / should not be accepted (CVE-2012-5524).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5524
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/101107.html
========================

Updated packages in core/updates_testing:
========================
gajim-0.15.3-1.1.mga2

from gajim-0.15.3-1.1.mga2.src.rpm
Comment 9 claire robinson 2013-04-05 19:39:58 CEST
Retested OK, confirmed the added require.

Adding bug 2317, links required:

Mageia release 2 (Official) for i586
Latest version found in "Core Release" is gajim-0.14.4-2.mga2
Latest version found in "Core Updates Testing" is gajim-0.15.3-1.1.mga2
----------------------------------------
The following packages will require linking:

pyasn1-0.0.13-1.mga2 (Core Release)
----------------------------------------
Comment 10 claire robinson 2013-04-06 10:40:31 CEST
Testing complete mga2 64

Validating

Could sysadmin please push from core/updates_testing to core/updates and link pyasn1 from Core release to updates for bug 2317.

Advisory & srpm in comment 8

Thanks!
Comment 11 Thomas Backlund 2013-04-06 15:23:03 CEST
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0111

Note You need to log in before you can comment on or make changes to this bug.