gajim code execution and sql injection
Bug #992618 reported by
Julian Taylor
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gajim (Debian) |
Fix Released
|
Unknown
|
|||
gajim (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Natty |
Fix Released
|
Medium
|
Unassigned | ||
Oneiric |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Imported from Debian bug http://
Package: gajim
Severity: grave
Tags: security
Hi,
Two security issues were reported in gajim: one user assisted code
execution and one an SQL injection:
- https:/
- https:/
They are fixed in gajim 0.15-1, which is in unstable and I've asked the
release team to increase the urgency value so it reaches testing sooner.
Can you please verify if the version in squeeze is indeed affected by
these issues and if so, are you able to provide an updated package? If
not, please also let the security team know.
Cheers,
Thijs
Related branches
lp:~jtaylor/ubuntu/lucid/gajim/multiple-CVE
- Ubuntu Development Team: Pending requested
-
Diff: 376 lines (+347/-0)5 files modifieddebian/changelog (+19/-0)
debian/patches/00list (+3/-0)
debian/patches/CVE-2012-2085.dpatch (+54/-0)
debian/patches/CVE-2012-2086.dpatch (+157/-0)
debian/patches/CVE-2012-2093.dpatch (+114/-0)
lp:~jtaylor/ubuntu/natty/gajim/multiple-CVE
- Ubuntu branches: Pending requested
-
Diff: 366 lines (+344/-0)4 files modifieddebian/changelog (+19/-0)
debian/patches/CVE-2012-2085.patch (+54/-0)
debian/patches/CVE-2012-2086.patch (+157/-0)
debian/patches/CVE-2012-2093.patch (+114/-0)
lp:~jtaylor/ubuntu/oneiric/gajim/multiple-CVE
- Ubuntu branches: Pending requested
-
Diff: 373 lines (+343/-0)5 files modifieddebian/changelog (+19/-0)
debian/patches/CVE-2012-2085.patch (+47/-0)
debian/patches/CVE-2012-2086.patch (+167/-0)
debian/patches/CVE-2012-2093.patch (+107/-0)
debian/patches/series (+3/-0)
Changed in gajim (Ubuntu): | |
status: | New → Fix Released |
Changed in gajim (Debian): | |
importance: | Undecided → Unknown |
status: | New → Fix Released |
To post a comment you must log in.
Hi Julian - Thanks for the debdiffs! I've reviewed them and have compiled some feedback...
Debdiff review:
* New package versions are wrong. For example, the Oneiric version should be 1-1ubuntu2' . Please see the version examples at: /wiki.ubuntu. com/SecurityTea m/UpdatePrepara tion#Update_ the_packaging
'0.14.
https:/
* Being picky, if I reference the patch origin's URL in the patch tags, I
typically don't reference the URL in the changelog, too. This matches the
changelog template at the link above.
* As an FYI, when we receive a merge request for security sponsoring, we
generate a debdiff using the latest source package (possibly from the
-security or -updates pockets) and proceed to use the debdiff from there. So,
we generally prefer to get debdiffs from the start, but that isn't
documented. I wanted to mention it incase it is easier on you to provide a
debdiff.
Patch backport review:
* The backported CVE-2012-2085.patch is in all three releases is missing thread_ interface( p.wait) call in else block of exec_command()
gajim.
* The natty and lucid debdiffs seem to have a missing "jid_tuple = (jid_id,)"
in the else block of CVE-2012-2086.patch in chunk @ 654.
Additionally, please comment on the level of testing you've done with these patches applied. Thanks!