gajim: CVE-2012-2093 insecure temporary file creation in LaTeX support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gajim (Debian) |
Fix Released
|
Unknown
|
|||
gajim (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Julian Taylor | ||
Natty |
Fix Released
|
Low
|
Julian Taylor | ||
Oneiric |
Fix Released
|
Low
|
Julian Taylor |
Bug Description
Imported from Debian bug http://
Package: gajim
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gajim.
CVE-2012-2093[0]:
It was discovered that gajim is insecurely creating predictable file names
when converting LaTeX to png images. An attacker can exploit this flaw to
overwrite files of the user with a symlink attack.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://
http://
--
Nico Golde - http://
For security reasons, all text in this mail is double-rot13 encrypted.
Related branches
- Ubuntu Development Team: Pending requested
-
Diff: 376 lines (+347/-0)5 files modifieddebian/changelog (+19/-0)
debian/patches/00list (+3/-0)
debian/patches/CVE-2012-2085.dpatch (+54/-0)
debian/patches/CVE-2012-2086.dpatch (+157/-0)
debian/patches/CVE-2012-2093.dpatch (+114/-0)
- Ubuntu branches: Pending requested
-
Diff: 366 lines (+344/-0)4 files modifieddebian/changelog (+19/-0)
debian/patches/CVE-2012-2085.patch (+54/-0)
debian/patches/CVE-2012-2086.patch (+157/-0)
debian/patches/CVE-2012-2093.patch (+114/-0)
- Ubuntu branches: Pending requested
-
Diff: 373 lines (+343/-0)5 files modifieddebian/changelog (+19/-0)
debian/patches/CVE-2012-2085.patch (+47/-0)
debian/patches/CVE-2012-2086.patch (+167/-0)
debian/patches/CVE-2012-2093.patch (+107/-0)
debian/patches/series (+3/-0)
Changed in gajim (Debian): | |
importance: | Undecided → Unknown |
status: | New → Fix Released |
Changed in gajim (Ubuntu Lucid): | |
status: | New → Incomplete |
Changed in gajim (Ubuntu Oneiric): | |
status: | New → Incomplete |
Changed in gajim (Ubuntu Natty): | |
status: | New → Incomplete |
tags: | added: patch-needswork |
Changed in gajim (Ubuntu Lucid): | |
importance: | Undecided → Low |
Changed in gajim (Ubuntu Natty): | |
importance: | Undecided → Low |
Changed in gajim (Ubuntu Oneiric): | |
importance: | Undecided → Low |
Changed in gajim (Ubuntu Lucid): | |
importance: | Low → Medium |
assignee: | nobody → Julian Taylor (jtaylor) |
Changed in gajim (Ubuntu Natty): | |
assignee: | nobody → Julian Taylor (jtaylor) |
Changed in gajim (Ubuntu Oneiric): | |
assignee: | nobody → Julian Taylor (jtaylor) |
not worth an upload for precise as it is mitigated by yama link restrictions, the other releases (especially lucid w/o yama) need uploads for more severe issues anyway so they get it.