Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 411269 (CVE-2012-2085) - <net-im/gajim-0.15-r1 : Remote code execution and possible sql injection (CVE-2012-{2085,2086})
Summary: <net-im/gajim-0.15-r1 : Remote code execution and possible sql injection (CVE...
Alias: CVE-2012-2085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: CVE-2012-2093
  Show dependency tree
Reported: 2012-04-08 12:40 UTC by Agostino Sarubbo
Modified: 2012-09-08 15:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-08 12:40:38 UTC
From oss-security mailing list:

Hi. a few months ago the following bugs were reported in gajim and do
not yet have CVE-ID allocation:
1., 'Assisted' code
execution (if the user clicks a link)
2., SQL injection via jids

Note: these two issues are fixed in the latest gajim release[0][1].

[0] - "Gajim 0.15 is here! (18 March 2012)"
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-08 12:41:17 UTC

is it ready to go to stable?
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-16 14:09:19 UTC

I'd say to do it in bug 412215
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2012-04-23 20:20:56 UTC
0.15 can go stable no problems here.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-10 21:37:11 UTC
Thanks, everyone.

Creating new GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 21:01:05 UTC
This issue was resolved and addressed in
 GLSA 201208-04 at
by GLSA coordinator Sean Amoss (ackle).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:38:03 UTC
CVE-2012-2085 (
  The exec_command function in common/ in Gajim before 0.15 allows
  user-assisted remote attackers to execute arbitrary commands via shell
  metacharacters in an href attribute.