[gajim/el5] Two security fixes from 0.15 (seen in DSA-2453-1)
Michal Schmidt
michich at fedoraproject.org
Wed Jun 20 13:29:26 UTC 2012
commit b509e2518b0080aaec8e06fda1e4b0c448ab93a8
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Thu Apr 19 09:44:01 2012 +0200
Two security fixes from 0.15 (seen in DSA-2453-1)
- CVE-2012-2085
- CVE-2012-2086
- disabled latex plugin to avoid CVE-2012-2093
gajim-CVE-2012-2085.patch | 55 ++++++++++++++
gajim-CVE-2012-2086.patch | 154 ++++++++++++++++++++++++++++++++++++++
gajim-disable-latex-plugin.patch | 14 ++++
gajim.spec | 17 ++++-
4 files changed, 239 insertions(+), 1 deletions(-)
---
diff --git a/gajim-CVE-2012-2085.patch b/gajim-CVE-2012-2085.patch
new file mode 100644
index 0000000..8f18215
--- /dev/null
+++ b/gajim-CVE-2012-2085.patch
@@ -0,0 +1,55 @@
+# HG changeset patch
+# User Yann Leboulanger <asterix at lagaule.org>
+# Date 1320788467 -3600
+# Branch gajim_0.15
+# Node ID d19b82b8763b98bd0a88c3e59fc451e3fb4f989c
+# Parent 988e38ce0e0c6a28be3648b1a2a7443e06fd756d
+execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031
+
+[ fixed a reject with quilt -- michich ]
+
+Index: gajim-0.12.5/src/common/helpers.py
+===================================================================
+--- gajim-0.12.5.orig/src/common/helpers.py
++++ gajim-0.12.5/src/common/helpers.py
+@@ -38,6 +38,7 @@ import errno
+ import select
+ import sha
+ import base64
++import shlex
+ import sys
+ from encodings.punycode import punycode_encode
+
+@@ -369,8 +370,17 @@ def is_in_path(name_of_command, return_a
+ else:
+ return is_in_dir
+
+-def exec_command(command):
+- subprocess.Popen(command, shell = True)
++def exec_command(command, use_shell=False):
++ """
++ execute a command. if use_shell is True, we run the command as is it was
++ typed in a console. So it may be dangerous if you are not sure about what
++ is executed.
++ """
++ if use_shell:
++ subprocess.Popen(command, shell=True)
++ else:
++ args = shlex.split(command.encode('utf-8'))
++ p = subprocess.Popen(args)
+
+ def build_command(executable, parameter):
+ # we add to the parameter (can hold path with spaces)
+Index: gajim-0.12.5/src/notify.py
+===================================================================
+--- gajim-0.12.5.orig/src/notify.py
++++ gajim-0.12.5/src/notify.py
+@@ -311,7 +311,7 @@ def notify(event, jid, account, paramete
+ command = gajim.config.get_per('notifications', str(advanced_notif_num),
+ 'command')
+ try:
+- helpers.exec_command(command)
++ helpers.exec_command(command, use_shell=True)
+ except Exception:
+ pass
+
diff --git a/gajim-CVE-2012-2086.patch b/gajim-CVE-2012-2086.patch
new file mode 100644
index 0000000..c3e47da
--- /dev/null
+++ b/gajim-CVE-2012-2086.patch
@@ -0,0 +1,154 @@
+# HG changeset patch
+# User Yann Leboulanger <asterix at lagaule.org>
+# Date 1320786052 -3600
+# Branch gajim_0.15
+# Node ID 988e38ce0e0c6a28be3648b1a2a7443e06fd756d
+# Parent f8214ad3310681dbf23a95c47b064d20c549693d
+use prepared statements in all SQL queries that contains jids to prevent SQL injection. Fixes #7034
+
+Index: gajim-0.12.5/src/common/logger.py
+===================================================================
+--- gajim-0.12.5.orig/src/common/logger.py
++++ gajim-0.12.5/src/common/logger.py
+@@ -484,7 +484,7 @@ class Logger:
+ except exceptions.PysqliteOperationalError, e:
+ # Error trying to create a new jid_id. This means there is no log
+ return []
+- where_sql = self._build_contact_where(account, jid)
++ where_sql, jid_tuple = self._build_contact_where(account, jid)
+
+ now = int(float(time.time()))
+ timed_out = now - (timeout * 60) # before that they are too old
+@@ -496,10 +496,9 @@ class Logger:
+ WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
+ ORDER BY time DESC LIMIT %d OFFSET %d
+ ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
+- constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
+- constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR,
+- timed_out, restore_how_many_rows, pending_how_many)
+- )
++ constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
++ constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out,
++ restore_how_many_rows, pending_how_many), jid_tuple)
+
+ results = self.cur.fetchall()
+ except sqlite.DatabaseError:
+@@ -526,7 +525,7 @@ class Logger:
+ except exceptions.PysqliteOperationalError, e:
+ # Error trying to create a new jid_id. This means there is no log
+ return []
+- where_sql = self._build_contact_where(account, jid)
++ where_sql, jid_tuple = self._build_contact_where(account, jid)
+
+ start_of_day = self.get_unix_time_from_date(year, month, day)
+ seconds_in_a_day = 86400 # 60 * 60 * 24
+@@ -537,7 +536,7 @@ class Logger:
+ WHERE (%s)
+ AND time BETWEEN %d AND %d
+ ORDER BY time
+- ''' % (where_sql, start_of_day, last_second_of_day))
++ ''' % (where_sql, start_of_day, last_second_of_day), jid_tuple)
+
+ results = self.cur.fetchall()
+ return results
+@@ -560,13 +559,13 @@ class Logger:
+ return results
+
+ else: # user just typed something, we search in message column
+- where_sql = self._build_contact_where(account, jid)
++ where_sql, jid_tuple = self._build_contact_where(account, jid)
+ like_sql = '%' + query.replace("'", "''") + '%'
+ self.cur.execute('''
+ SELECT contact_name, time, kind, show, message, subject FROM logs
+ WHERE (%s) AND message LIKE '%s'
+ ORDER BY time
+- ''' % (where_sql, like_sql))
++ ''' % (where_sql, like_sql), jid_tuple)
+
+ results = self.cur.fetchall()
+ return results
+@@ -579,7 +578,7 @@ class Logger:
+ # Error trying to create a new jid_id. This means there is no log
+ return []
+ days_with_logs = []
+- where_sql = self._build_contact_where(account, jid)
++ where_sql, jid_tuple = self._build_contact_where(account, jid)
+
+ # First select all date of month whith logs we want
+ start_of_month = self.get_unix_time_from_date(year, month, 1)
+@@ -597,7 +596,7 @@ class Logger:
+ AND kind NOT IN (%d, %d)
+ ORDER BY time
+ ''' % (where_sql, start_of_month, last_second_of_month,
+- constants.KIND_STATUS, constants.KIND_GCSTATUS))
++ constants.KIND_STATUS, constants.KIND_GCSTATUS), jid_tuple)
+ result = self.cur.fetchall()
+
+ # convert timestamps to day of month
+@@ -611,19 +610,21 @@ class Logger:
+ we had logs (excluding statuses)'''
+ where_sql = ''
+ if not is_room:
+- where_sql = self._build_contact_where(account, jid)
++ where_sql, jid_tuple = self._build_contact_where(account, jid)
+ else:
+ try:
+ jid_id = self.get_jid_id(jid, 'ROOM')
+ except exceptions.PysqliteOperationalError, e:
+ # Error trying to create a new jid_id. This means there is no log
+ return None
+- where_sql = 'jid_id = %s' % jid_id
++ where_sql = 'jid_id = ?'
++ jid_tuple = (jid_id,)
+ self.cur.execute('''
+ SELECT MAX(time) FROM logs
+ WHERE (%s)
+ AND kind NOT IN (%d, %d)
+- ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS))
++ ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS),
++ jid_tuple)
+
+ results = self.cur.fetchone()
+ if results is not None:
+@@ -640,11 +641,12 @@ class Logger:
+ except exceptions.PysqliteOperationalError, e:
+ # Error trying to create a new jid_id. This means there is no log
+ return None
+- where_sql = 'jid_id = %s' % jid_id
++ where_sql = 'jid_id = ?'
++ jid_tuple = (jid_id,)
+ self.cur.execute('''
+ SELECT time FROM rooms_last_message_time
+ WHERE (%s)
+- ''' % (where_sql))
++ ''' % (where_sql), jid_tuple)
+
+ results = self.cur.fetchone()
+ if results is not None:
+@@ -666,6 +668,7 @@ class Logger:
+ '''build the where clause for a jid, including metacontacts
+ jid(s) if any'''
+ where_sql = ''
++ jid_tuple = ()
+ # will return empty list if jid is not associated with
+ # any metacontacts
+ family = gajim.contacts.get_metacontacts_family(account, jid)
+@@ -675,13 +678,15 @@ class Logger:
+ jid_id = self.get_jid_id(user['jid'])
+ except exceptions.PysqliteOperationalError, e:
+ continue
+- where_sql += 'jid_id = %s' % jid_id
++ where_sql += 'jid_id = ?'
++ jid_tuple += (jid_id,)
+ if user != family[-1]:
+ where_sql += ' OR '
+ else: # if jid was not associated with metacontacts
+ jid_id = self.get_jid_id(jid)
+- where_sql = 'jid_id = %s' % jid_id
+- return where_sql
++ where_sql = 'jid_id = ?'
++ jid_tuple += (jid_id,)
++ return where_sql, jid_tuple
+
+ def save_transport_type(self, jid, type_):
+ '''save the type of the transport in DB'''
diff --git a/gajim-disable-latex-plugin.patch b/gajim-disable-latex-plugin.patch
new file mode 100644
index 0000000..4e458af
--- /dev/null
+++ b/gajim-disable-latex-plugin.patch
@@ -0,0 +1,14 @@
+Index: gajim-0.12.5/src/common/latex.py
+===================================================================
+--- gajim-0.12.5.orig/src/common/latex.py
++++ gajim-0.12.5/src/common/latex.py
+@@ -88,6 +88,9 @@ def popen_nt_friendly(command):
+ def check_for_latex_support():
+ '''check is latex is available and if it can create a picture.'''
+
++ # EL5: disable the latex plugin to avoid its security bugs
++ return False
++
+ try:
+ filename = latex_to_image("test")
+ if filename:
diff --git a/gajim.spec b/gajim.spec
index 4d53e7f..1f7a105 100644
--- a/gajim.spec
+++ b/gajim.spec
@@ -3,7 +3,7 @@
Summary: Jabber client written in PyGTK
Name: gajim
Version: 0.12.5
-Release: 1%{?dist}.1
+Release: 1%{?dist}.2
License: GPLv3
Group: Applications/Internet
URL: http://gajim.org/
@@ -11,6 +11,12 @@ Source0: http://gajim.org/downloads/%{name}-%{version}.tar.bz2
Patch0: %{name}-keyring.diff
Patch1: %{name}-gdk-color-to_string.diff
Patch2: %{name}-dbus-python-0.7-compat.diff
+# user assisted code execution
+Patch3: gajim-CVE-2012-2085.patch
+# SQL injection
+Patch4: gajim-CVE-2012-2086.patch
+# avoid CVE-2012-2093
+Patch5: gajim-disable-latex-plugin.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -59,6 +65,9 @@ Gajim does not require GNOME to run, eventhough it exists with it nicely.
%patch0 -p0
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
%build
%configure --docdir=%{_docdir}/%{name}-%{version} \
@@ -113,6 +122,12 @@ rm -rf %{buildroot}
%{python_sitearch}/%{name}/trayicon.so
%changelog
+* Wed Jun 20 2012 Michal Schmidt <mschmidt at redhat.com> 0.12.5-1.el5.2
+- Two security fixes picked from el6:
+- CVE-2012-2085
+- CVE-2012-2086
+- disabled latex plugin to avoid CVE-2012-2093
+
* Tue Oct 27 2009 Michal Schmidt <mschmidt at redhat.com> 0.12.5-1.el5.1
- Fix NetworkManager feature (+ gajim-dbus-python-0.7-compat.diff)
More information about the scm-commits
mailing list