Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 411269 (CVE-2012-2085) - <net-im/gajim-0.15-r1 : Remote code execution and possible sql injection (CVE-2012-{2085,2086})
Summary: <net-im/gajim-0.15-r1 : Remote code execution and possible sql injection (CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-2085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2012-2093
Blocks:
  Show dependency tree
 
Reported: 2012-04-08 12:40 UTC by Agostino Sarubbo
Modified: 2012-09-08 15:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-08 12:40:38 UTC 
From oss-security mailing list:

Hi. a few months ago the following bugs were reported in gajim and do
not yet have CVE-ID allocation:
1. https://trac.gajim.org/ticket/7031, 'Assisted' code
execution (if the user clicks a link)
2. https://trac.gajim.org/ticket/7034, SQL injection via jids

Note: these two issues are fixed in the latest gajim release[0][1].

[0] http://gajim.org/ - "Gajim 0.15 is here! (18 March 2012)"
[1] https://trac.gajim.org/query?status=closed&milestone=0.15
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-08 12:41:17 UTC 
@maintainer:

is it ready to go to stable?
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-16 14:09:19 UTC 
@jlec:

I'd say to do it in bug 412215
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2012-04-23 20:20:56 UTC 
0.15 can go stable no problems here.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-10 21:37:11 UTC 
Thanks, everyone.

Creating new GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 21:01:05 UTC 
This issue was resolved and addressed in
 GLSA 201208-04 at http://security.gentoo.org/glsa/glsa-201208-04.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:38:03 UTC 
CVE-2012-2085 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2085):
  The exec_command function in common/helpers.py in Gajim before 0.15 allows
  user-assisted remote attackers to execute arbitrary commands via shell
  metacharacters in an href attribute.