From secunia security advisory at $URL: Description A security issue has been reported in Gajim, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to the "get_tmpfile_name()" function (src/common/latex.py) creating temporary files in an insecure manner, which can be exploited to e.g. overwrite arbitrary files via symlink attacks. The security issue is reported in version 0.15. Other versions may also be affected. Solution Fixed in the Mercurial repository. Provided and/or discovered by Nico Golde Original Advisory Gajim: https://trac.gajim.org/changeset/13759/src/common/latex.py
version 0.15 is fixed by backporting the upstream fix + 23 Apr 2012; Justin Lecher <jlec@gentoo.org> -gajim-0.15.ebuild, + gajim-0.15-r1.ebuild, +files/gajim-0.15-SA48695.patch: + Add backport fix for https://secunia.com/advisories/48695/, #412215 +
Please mark stable: =net-im/gajim-0.15-r1 target KEYWORDS : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
amd64 / x86 stable
alpha/ia64/sparc stable
ppc64 done
This patch breaks some things. There is a newer related changeset in the tree: https://trac.gajim.org/changeset/13766/src/common/latex.py With current patch I get this trace when trying to open "Help->Features": Traceback (most recent call last): File "/usr/lib64/python2.7/site-packages/gajim/roster_window.py", line 3851, in on_features_menuitem_activate features_window.FeaturesWindow() File "/usr/lib64/python2.7/site-packages/gajim/features_window.py", line 140, in __init__ rep = func() File "/usr/lib64/python2.7/site-packages/gajim/features_window.py", line 249, in latex_available return latex.check_for_latex_support() File "/usr/lib64/python2.7/site-packages/gajim/common/latex.py", line 104, in check_for_latex_support filename = latex_to_image("test") File "/usr/lib64/python2.7/site-packages/gajim/common/latex.py", line 145, in latex_to_image tmpfile = get_tmpfile_name() File "/usr/lib64/python2.7/site-packages/gajim/common/latex.py", line 62, in get_tmpfile_name while(nb < 100): NameError: global name 'nb' is not defined
(In reply to comment #6) > This patch breaks some things. There is a newer related changeset in the > tree: > https://trac.gajim.org/changeset/13766/src/common/latex.py > NameError: global name 'nb' is not defined It's fine here, please open separate bug anyway.
> It's fine here, please open separate bug anyway. Ok. Done. bug 415891
CVE-2012-2093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2093): src/common/latex.py in Gajim 0.15 allows local users to overwrite arbitrary files via a symlink attack on a temporary latex file, related to the get_tmpfile_name function.
Stable HPPA keywords dropped.
ppc stable, last arch done
@Security: go ahead with vote.
Thanks, folks. GLSA Vote: no.
Adding to GLSA request with bug 411269.
This issue was resolved and addressed in GLSA 201208-04 at http://security.gentoo.org/glsa/glsa-201208-04.xml by GLSA coordinator Sean Amoss (ackle).