Ubuntu

gajim: CVE-2012-2093 insecure temporary file creation in LaTeX support

Reported by Julian Taylor on 2012-05-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gajim (Debian)
Fix Released
Unknown
gajim (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Julian Taylor
Natty
Low
Julian Taylor
Oneiric
Low
Julian Taylor

Bug Description

Imported from Debian bug http://bugs.debian.org/668710:

Package: gajim
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gajim.

CVE-2012-2093[0]:
It was discovered that gajim is insecurely creating predictable file names
when converting LaTeX to png images. An attacker can exploit this flaw to
overwrite files of the user with a symlink attack.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093
    http://security-tracker.debian.org/tracker/CVE-2012-2093

--
Nico Golde - http://www.ngolde.de - <email address hidden> - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Julian Taylor (jtaylor) wrote :

not worth an upload for precise as it is mitigated by yama link restrictions, the other releases (especially lucid w/o yama) need uploads for more severe issues anyway so they get it.

Changed in gajim (Ubuntu):
status: New → Won't Fix
Changed in gajim (Debian):
importance: Undecided → Unknown
status: New → Fix Released
Tyler Hicks (tyhicks) on 2012-05-09
Changed in gajim (Ubuntu Lucid):
status: New → Incomplete
Changed in gajim (Ubuntu Oneiric):
status: New → Incomplete
Changed in gajim (Ubuntu Natty):
status: New → Incomplete
tags: added: patch-needswork
Changed in gajim (Ubuntu Lucid):
importance: Undecided → Low
Changed in gajim (Ubuntu Natty):
importance: Undecided → Low
Changed in gajim (Ubuntu Oneiric):
importance: Undecided → Low
Changed in gajim (Ubuntu Lucid):
importance: Low → Medium
assignee: nobody → Julian Taylor (jtaylor)
Changed in gajim (Ubuntu Natty):
assignee: nobody → Julian Taylor (jtaylor)
Changed in gajim (Ubuntu Oneiric):
assignee: nobody → Julian Taylor (jtaylor)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gajim - 0.14.1-1ubuntu1.1

---------------
gajim (0.14.1-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: assisted code execution (LP: #992618)
    - debian/patches/CVE-2012-2085.patch: fix subprocess call to prevent
      shell escape from via crafted messages
      https://trac.gajim.org/changeset/bc296e96ac10
    - CVE-2012-2085
  * SECURITY UPDATE: sql injection in logging code (LP: #992618)
    - debian/patches/CVE-2012-2086.patch: use a prepated statement
      https://trac.gajim.org/changeset/bfd5f94489d8
    - CVE-2012-2086
  * SECURITY UPDATE: insecure tmpfile creation (LP: #992613)
    - debian/patches/CVE-2012-2093.patch: use safe tmpfile functions
      when convering LaTeX IM messages to png images
      Thanks to Nico Golde
    - CVE-2012-2093
 -- Julian Taylor <email address hidden> Thu, 10 May 2012 17:48:34 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gajim - 0.13.4-3ubuntu2.1

---------------
gajim (0.13.4-3ubuntu2.1) natty-security; urgency=low

  * SECURITY UPDATE: assisted code execution (LP: #992618)
    - debian/patches/CVE-2012-2085.patch: fix subprocess call to prevent
      shell escape from via crafted messages
      https://trac.gajim.org/changeset/bc296e96ac10
    - CVE-2012-2085
  * SECURITY UPDATE: sql injection in logging code (LP: #992618)
    - debian/patches/CVE-2012-2086.patch: use a prepated statement
      https://trac.gajim.org/changeset/bfd5f94489d8
    - CVE-2012-2086
  * SECURITY UPDATE: insecure tmpfile creation (LP: #992613)
    - debian/patches/CVE-2012-2093.patch: use safe tmpfile functions
      when convering LaTeX IM messages to png images
      Thanks to Nico Golde
    - CVE-2012-2093
 -- Julian Taylor <email address hidden> Thu, 10 May 2012 17:48:45 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gajim - 0.13-0ubuntu2.1

---------------
gajim (0.13-0ubuntu2.1) lucid-security; urgency=low

  * SECURITY UPDATE: assisted code execution (LP: #992618)
    - debian/patches/CVE-2012-2085.dpatch: fix subprocess call to prevent
      shell escape from via crafted messages
      https://trac.gajim.org/changeset/bc296e96ac10
    - CVE-2012-2085
  * SECURITY UPDATE: sql injection in logging code (LP: #992618)
    - debian/patches/CVE-2012-2086.dpatch: use a prepated statement
      https://trac.gajim.org/changeset/bfd5f94489d8
    - CVE-2012-2086
  * SECURITY UPDATE: insecure tmpfile creation (LP: #992613)
    - debian/patches/CVE-2012-2093.dpatch: use safe tmpfile functions
      when convering LaTeX IM messages to png images
      Thanks to Nico Golde
    - CVE-2012-2093
 -- Julian Taylor <email address hidden> Thu, 10 May 2012 17:48:53 -0700

Changed in gajim (Ubuntu Lucid):
status: Incomplete → Fix Released
Changed in gajim (Ubuntu Natty):
status: Incomplete → Fix Released
Changed in gajim (Ubuntu Oneiric):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.