Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412215 (CVE-2012-2093) - <net-im/gajim-0.15-r1 : Insecure Temporary File Creation (CVE-2012-2093)
Summary: <net-im/gajim-0.15-r1 : Insecure Temporary File Creation (CVE-2012-2093)
Status: RESOLVED FIXED
Alias: CVE-2012-2093
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48695/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2012-2085
  Show dependency tree
 
Reported: 2012-04-16 14:06 UTC by Agostino Sarubbo
Modified: 2012-08-14 21:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-16 14:06:47 UTC
From secunia security advisory at $URL:


Description
A security issue has been reported in Gajim, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The security issue is caused due to the "get_tmpfile_name()" function (src/common/latex.py) creating temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks.

The security issue is reported in version 0.15. Other versions may also be affected.


Solution
Fixed in the Mercurial repository.

Provided and/or discovered by
Nico Golde

Original Advisory
Gajim:
https://trac.gajim.org/changeset/13759/src/common/latex.py
Comment 1 Justin Lecher gentoo-dev 2012-04-23 20:19:24 UTC
version 0.15 is fixed by backporting the upstream fix


+  23 Apr 2012; Justin Lecher <jlec@gentoo.org> -gajim-0.15.ebuild,
+  gajim-0.15-r1.ebuild, +files/gajim-0.15-SA48695.patch:
+  Add backport fix for https://secunia.com/advisories/48695/, #412215
+
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-25 07:46:24 UTC
Please mark stable:
=net-im/gajim-0.15-r1
target KEYWORDS : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-04-25 19:30:12 UTC
amd64 / x86 stable
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2012-05-05 17:30:43 UTC
alpha/ia64/sparc stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-05-10 19:30:18 UTC
ppc64 done
Comment 6 Alexander Tsoy 2012-05-14 09:08:52 UTC
This patch breaks some things. There is a newer related changeset in the tree:
https://trac.gajim.org/changeset/13766/src/common/latex.py

With current patch I get this trace when trying to open "Help->Features":

Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/gajim/roster_window.py", line 3851, in on_features_menuitem_activate
    features_window.FeaturesWindow()
  File "/usr/lib64/python2.7/site-packages/gajim/features_window.py", line 140, in __init__
    rep = func()
  File "/usr/lib64/python2.7/site-packages/gajim/features_window.py", line 249, in latex_available
    return latex.check_for_latex_support()
  File "/usr/lib64/python2.7/site-packages/gajim/common/latex.py", line 104, in check_for_latex_support
    filename = latex_to_image("test")
  File "/usr/lib64/python2.7/site-packages/gajim/common/latex.py", line 145, in latex_to_image
    tmpfile = get_tmpfile_name()
  File "/usr/lib64/python2.7/site-packages/gajim/common/latex.py", line 62, in get_tmpfile_name
    while(nb < 100):
NameError: global name 'nb' is not defined
Comment 7 Agostino Sarubbo gentoo-dev 2012-05-14 09:15:02 UTC
(In reply to comment #6)
> This patch breaks some things. There is a newer related changeset in the
> tree:
> https://trac.gajim.org/changeset/13766/src/common/latex.py
> NameError: global name 'nb' is not defined

It's fine here, please open separate bug anyway.
Comment 8 Alexander Tsoy 2012-05-14 09:37:31 UTC
> It's fine here, please open separate bug anyway.

Ok. Done.
bug 415891
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-05-20 23:34:28 UTC
CVE-2012-2093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2093):
  src/common/latex.py in Gajim 0.15 allows local users to overwrite arbitrary
  files via a symlink attack on a temporary latex file, related to the
  get_tmpfile_name function.
Comment 10 Jeroen Roovers gentoo-dev 2012-06-18 23:24:28 UTC
Stable HPPA keywords dropped.
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-06-19 09:09:42 UTC
ppc stable, last arch done
Comment 12 Agostino Sarubbo gentoo-dev 2012-06-19 09:12:13 UTC
@Security: go ahead with vote.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-06-19 11:45:25 UTC
Thanks, folks. GLSA Vote: no.
Comment 14 Sean Amoss gentoo-dev Security 2012-07-10 21:41:32 UTC
Adding to GLSA request with bug 411269.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 21:01:07 UTC
This issue was resolved and addressed in
 GLSA 201208-04 at http://security.gentoo.org/glsa/glsa-201208-04.xml
by GLSA coordinator Sean Amoss (ackle).