Debian Bug report logs - #668038
gajim code execution and sql injection

version graph

Package: gajim; Maintainer for gajim is Tanguy Ortolo <tanguy+debian@ortolo.eu>; Source for gajim is src:gajim.

Reported by: "Thijs Kinkhorst" <thijs@debian.org>

Date: Sun, 8 Apr 2012 13:51:02 UTC

Severity: grave

Tags: security

Fixed in versions gajim/0.15-1, gajim/0.13.4-3+squeeze2

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>:
Bug#668038; Package gajim. (Sun, 08 Apr 2012 13:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Yann Leboulanger <asterix@lagaule.org>. (Sun, 08 Apr 2012 13:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: submit@bugs.debian.org
Subject: gajim code execution and sql injection
Date: Sun, 8 Apr 2012 15:48:33 +0200
Package: gajim
Severity: grave
Tags: security

Hi,

Two security issues were reported in gajim: one user assisted code
execution and one an SQL injection:

- https://trac.gajim.org/ticket/7031
- https://trac.gajim.org/ticket/7034

They are fixed in gajim 0.15-1, which is in unstable and I've asked the
release team to increase the urgency value so it reaches testing sooner.
Can you please verify if the version in squeeze is indeed affected by
these issues and if so, are you able to provide an updated package? If
not, please also let the security team know.


Cheers,
Thijs






Information forwarded to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>:
Bug#668038; Package gajim. (Sun, 08 Apr 2012 16:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>. (Sun, 08 Apr 2012 16:45:05 GMT) Full text and rfc822 format available.

Message #10 received at 668038@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 668038@bugs.debian.org
Subject: CVE names assigned
Date: Sun, 8 Apr 2012 18:41:56 +0200
Hi,

CVE-2012-2085 (code execution) and CVE-2012-2086 (sql injection) have been
assigned to this issue.Please mention them in any changelog entries.


cheers,
Thijs





Marked as fixed in versions gajim/0.15-1. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Tue, 10 Apr 2012 06:21:02 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Mon, 16 Apr 2012 21:09:04 GMT) Full text and rfc822 format available.

Notification sent to "Thijs Kinkhorst" <thijs@debian.org>:
Bug acknowledged by developer. (Mon, 16 Apr 2012 21:09:05 GMT) Full text and rfc822 format available.

Message #17 received at 668038-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 668038-close@bugs.debian.org
Subject: Bug#668038: fixed in gajim 0.13.4-3+squeeze2
Date: Mon, 16 Apr 2012 21:04:42 +0000
Source: gajim
Source-Version: 0.13.4-3+squeeze2

We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive:

gajim_0.13.4-3+squeeze2.diff.gz
  to main/g/gajim/gajim_0.13.4-3+squeeze2.diff.gz
gajim_0.13.4-3+squeeze2.dsc
  to main/g/gajim/gajim_0.13.4-3+squeeze2.dsc
gajim_0.13.4-3+squeeze2_amd64.deb
  to main/g/gajim/gajim_0.13.4-3+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gajim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 15 Apr 2012 20:35:02 +0000
Source: gajim
Binary: gajim
Architecture: source amd64
Version: 0.13.4-3+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Yann Leboulanger <asterix@lagaule.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 gajim      - Jabber client written in PyGTK
Closes: 668038 668710
Changes: 
 gajim (0.13.4-3+squeeze2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes the following security issues:
     - CVE-2012-2086: SQL injections via jids in logging code
     - CVE-2012-2085: assisted code execution via crafted messages due
       to insecurely processing input with popen.
     - CVE-2012-2093: insecure use of temporary files when convering LaTeX
       IM messages to png images.
     (Closes: #668710, #668038)
Checksums-Sha1: 
 fd033c276b62fd97810eddfd5a49071f96650e38 1307 gajim_0.13.4-3+squeeze2.dsc
 4320ea4f1ed82340778633f3858b05d8b48bfab8 5135705 gajim_0.13.4.orig.tar.gz
 de7ea0863800fa4338a17d80a80c506f3ed023f6 9137 gajim_0.13.4-3+squeeze2.diff.gz
 47b7a2c63c6f77b07b5ef31ac419368d3bcd82e0 4326502 gajim_0.13.4-3+squeeze2_amd64.deb
Checksums-Sha256: 
 4a90dbe1b855199df521808194f20370fa32dd2028a4ffb5c65674cfed4eca13 1307 gajim_0.13.4-3+squeeze2.dsc
 70489184ac7829b6457b2bbe213669ca43c863bc4d96454c2a787a291cc75c67 5135705 gajim_0.13.4.orig.tar.gz
 f023a0ccb52969ddff49233ba6e66c507ed7af383776c197cd731ef95c65332e 9137 gajim_0.13.4-3+squeeze2.diff.gz
 230461ecb3f5cf3362668afdc97cc2cfc1e88333c82d333c1d6814a88d7be272 4326502 gajim_0.13.4-3+squeeze2_amd64.deb
Files: 
 c8e6eefa3304c70d49bb98a96ebe36a1 1307 net optional gajim_0.13.4-3+squeeze2.dsc
 83293c88fb5398b582f2cd71015dea72 5135705 net optional gajim_0.13.4.orig.tar.gz
 562848539a5f7d3e294883e8ec6b8044 9137 net optional gajim_0.13.4-3+squeeze2.diff.gz
 8fb8bb424df9714f2931e03f8b209c18 4326502 net optional gajim_0.13.4-3+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk+LNYYACgkQHYflSXNkfP868QCgjIu1wn2MQ2w8awaaPj7GJE+9
KUEAoLNaIMkAuAh/xbnfZiAeToozuVQj
=+DGR
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>:
Bug#668038; Package gajim. (Wed, 02 May 2012 19:15:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julian Taylor <jtaylor.debian@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>. (Wed, 02 May 2012 19:15:09 GMT) Full text and rfc822 format available.

Message #22 received at 668038@bugs.debian.org (full text, mbox):

From: Julian Taylor <jtaylor.debian@googlemail.com>
To: 668038@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: regression on triggers
Date: Wed, 02 May 2012 21:12:29 +0200
[Message part 1 (text/plain, inline)]
the patch for the code execution probably contains a regression
I can't judge how severe it is or provide a testcase:

/usr/share/gajim/src/notify.py:323
command = gajim.config.get_per('notifications', str(advanced_notif_num),
        'command')
try:
        helpers.exec_command(obj.command, use_shell=True)
except Exception:
        pass


obj.command does not exist in 0.13.4, only in 0.15
it should probably be:

helpers.exec_command(command, use_shell=True)

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>:
Bug#668038; Package gajim. (Wed, 02 May 2012 21:03:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>. (Wed, 02 May 2012 21:03:22 GMT) Full text and rfc822 format available.

Message #27 received at 668038@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Julian Taylor <jtaylor.debian@googlemail.com>
Cc: 668038@bugs.debian.org
Subject: Re: regression on triggers
Date: Wed, 2 May 2012 23:01:35 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Julian Taylor <jtaylor.debian@googlemail.com> [2012-05-02 21:17]:
> the patch for the code execution probably contains a regression
> I can't judge how severe it is or provide a testcase:
> 
> /usr/share/gajim/src/notify.py:323
> command = gajim.config.get_per('notifications', str(advanced_notif_num),
>         'command')
> try:
>         helpers.exec_command(obj.command, use_shell=True)
> except Exception:
>         pass
> 
> 
> obj.command does not exist in 0.13.4, only in 0.15
> it should probably be:
> 
> helpers.exec_command(command, use_shell=True)

Interesting. Thanks for the report! I will have to check that. When I tested 
the update the notifications in the form of popups telling me new messages 
worked.

Cheers
Nico
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Yann Leboulanger <asterix@lagaule.org>:
Bug#668038; Package gajim. (Thu, 10 May 2012 19:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julian Taylor <jtaylor.debian@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Yann Leboulanger <asterix@lagaule.org>. (Thu, 10 May 2012 19:57:03 GMT) Full text and rfc822 format available.

Message #32 received at 668038@bugs.debian.org (full text, mbox):

From: Julian Taylor <jtaylor.debian@googlemail.com>
To: Nico Golde <nion@debian.org>
Cc: 668038@bugs.debian.org
Subject: Re: more issues
Date: Thu, 10 May 2012 21:55:47 +0200
[Message part 1 (text/plain, inline)]
On 05/02/2012 11:01 PM, Nico Golde wrote:
> Hi,

> 
> Interesting. Thanks for the report! I will have to check that. When I tested 
> the update the notifications in the form of popups telling me new messages 
> worked.
> 
> Cheers
> Nico

Tyler Hicks found some more issues with the patches:

the patch for CVE-2012-2086 is missing a definition of jid_tuple in the
else branch of hunk 654 in src/common/logger.py

the patch for CVE-2012-2085 is missing a gajim.thread_interface(p.wait)
this may not have any effect as so far I now python will not garbage
collect and kill the subprocess.

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 Jun 2012 07:39:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:13:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.