Ubuntu
gajim package

Merge lp:~jtaylor/ubuntu/lucid/gajim/multiple-CVE into lp:ubuntu/lucid/gajim

  1. Lucid (10.04)
  2. multiple-CVE
  3. Merge into lucid
Proposed by Julian Taylor
Status: Merged
Merge reported by: Marc Deslauriers
Merged at revision: not available
Proposed branch: lp:~jtaylor/ubuntu/lucid/gajim/multiple-CVE
Merge into: lp:ubuntu/lucid/gajim
Diff against target: 376 lines (+347/-0)
5 files modified
debian/changelog (+19/-0)
debian/patches/00list (+3/-0)
debian/patches/CVE-2012-2085.dpatch (+54/-0)
debian/patches/CVE-2012-2086.dpatch (+157/-0)
debian/patches/CVE-2012-2093.dpatch (+114/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/lucid/gajim/multiple-CVE
Reviewer Review Type Date Requested Status
Ubuntu Development Team Pending
Review via email: mp+104264@code.launchpad.net
To post a comment you must log in.
lp:~jtaylor/ubuntu/lucid/gajim/multiple-CVE updated
54. By Julian Taylor

fix missing jid tuple in patch

55. By Julian Taylor

fix missing wait on process end

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Julian, could you please update the status of this merge request so it gets removed from the sponsors list? Thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2009-12-15 02:32:45 +0000
+++ debian/changelog 2012-05-10 19:54:17 +0000
@@ -1,3 +1,22 @@
1gajim (0.13-0ubuntu2.10.04.1) lucid-security; urgency=low
2
3 * SECURITY UPDATE: assisted code execution (LP: #992618)
4 - debian/patches/CVE-2012-2085.dpatch: fix subprocess call to prevent
5 shell escape from via crafted messages
6 https://trac.gajim.org/changeset/bc296e96ac10
7 - CVE-2012-2085
8 * SECURITY UPDATE: sql injection in logging code (LP: #992618)
9 - debian/patches/CVE-2012-2086.dpatch: use a prepated statement
10 https://trac.gajim.org/changeset/bfd5f94489d8
11 - CVE-2012-2086
12 * SECURITY UPDATE: insecure tmpfile creation (LP: #992613)
13 - debian/patches/CVE-2012-2093.dpatch: use safe tmpfile functions
14 when convering LaTeX IM messages to png images
15 Thanks to Nico Golde
16 - CVE-2012-2093
17
18 -- Julian Taylor <jtaylor@ubuntu.com> Tue, 01 May 2012 15:21:25 +0200
19
1gajim (0.13-0ubuntu2) lucid; urgency=low20gajim (0.13-0ubuntu2) lucid; urgency=low
221
3 * debian/control:22 * debian/control:
423
=== modified file 'debian/patches/00list'
--- debian/patches/00list 2009-11-25 08:33:47 +0000
+++ debian/patches/00list 2012-05-10 19:54:17 +0000
@@ -1,2 +1,5 @@
1config-write-sync.patch1config-write-sync.patch
2ubuntu-keyring.patch2ubuntu-keyring.patch
3CVE-2012-2085.dpatch
4CVE-2012-2086.dpatch
5CVE-2012-2093.dpatch
36
=== added file 'debian/patches/CVE-2012-2085.dpatch'
--- debian/patches/CVE-2012-2085.dpatch 1970-01-01 00:00:00 +0000
+++ debian/patches/CVE-2012-2085.dpatch 2012-05-10 19:54:17 +0000
@@ -0,0 +1,54 @@
1#! /bin/sh /usr/share/dpatch/dpatch-run
2## Description: prevent assisted code execution CVE-2012-2085
3## Origin: https://trac.gajim.org/changeset/bc296e96ac10
4## Bug: https://trac.gajim.org/ticket/7031
5## CVE-2012-2085.dpatch by Julian Taylor <jtaylor@ubuntu.com>
6##
7## All lines beginning with `## DP:' are a description of the patch.
8## DP: No description.
9
10@DPATCH@
11diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gajim-lucid.orig~/src/common/helpers.py gajim-lucid.orig/src/common/helpers.py
12--- gajim-lucid.orig~/src/common/helpers.py 2012-05-01 15:19:52.000000000 +0200
13+++ gajim-lucid.orig/src/common/helpers.py 2012-05-01 15:20:49.347118151 +0200
14@@ -39,6 +39,7 @@
15 import base64
16 import sys
17 import hashlib
18+import shlex
19
20 from encodings.punycode import punycode_encode
21
22@@ -355,8 +356,18 @@
23 pass
24 return False
25
26-def exec_command(command):
27- subprocess.Popen('%s &' % command, shell=True).wait()
28+def exec_command(command, use_shell=False):
29+ """
30+ execute a command. if use_shell is True, we run the command as is it was
31+ typed in a console. So it may be dangerous if you are not sure about what
32+ is executed.
33+ """
34+ if use_shell:
35+ subprocess.Popen('%s &' % command, shell=True).wait()
36+ else:
37+ args = shlex.split(command.encode('utf-8'))
38+ p = subprocess.Popen(args)
39+ gajim.thread_interface(p.wait)
40
41 def build_command(executable, parameter):
42 # we add to the parameter (can hold path with spaces)
43diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gajim-lucid.orig~/src/notify.py gajim-lucid.orig/src/notify.py
44--- gajim-lucid.orig~/src/notify.py 2012-05-01 15:19:52.000000000 +0200
45+++ gajim-lucid.orig/src/notify.py 2012-05-01 15:21:18.347117755 +0200
46@@ -323,7 +323,7 @@
47 command = gajim.config.get_per('notifications', str(advanced_notif_num),
48 'command')
49 try:
50- helpers.exec_command(command)
51+ helpers.exec_command(command, use_shell=True)
52 except Exception:
53 pass
54
055
=== added file 'debian/patches/CVE-2012-2086.dpatch'
--- debian/patches/CVE-2012-2086.dpatch 1970-01-01 00:00:00 +0000
+++ debian/patches/CVE-2012-2086.dpatch 2012-05-10 19:54:17 +0000
@@ -0,0 +1,157 @@
1#! /bin/sh /usr/share/dpatch/dpatch-run
2## Description: prevent sql injections CVE-2012-2086
3## Origin: https://trac.gajim.org/changeset/bc296e96ac10
4## Bug: https://trac.gajim.org/ticket/7031
5## CVE-2012-2086.dpatch by Julian Taylor <jtaylor@ubuntu.com>
6##
7## All lines beginning with `## DP:' are a description of the patch.
8## DP: No description.
9
10@DPATCH@
11diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gajim-lucid.orig~/src/common/logger.py gajim-lucid.orig/src/common/logger.py
12--- gajim-lucid.orig~/src/common/logger.py 2012-05-01 15:19:52.000000000 +0200
13+++ gajim-lucid.orig/src/common/logger.py 2012-05-01 15:23:03.891116311 +0200
14@@ -527,7 +527,7 @@
15 except exceptions.PysqliteOperationalError, e:
16 # Error trying to create a new jid_id. This means there is no log
17 return []
18- where_sql = self._build_contact_where(account, jid)
19+ where_sql, jid_tuple = self._build_contact_where(account, jid)
20
21 now = int(float(time.time()))
22 timed_out = now - (timeout * 60) # before that they are too old
23@@ -539,10 +539,9 @@
24 WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
25 ORDER BY time DESC LIMIT %d OFFSET %d
26 ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
27- constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
28- constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR,
29- timed_out, restore_how_many_rows, pending_how_many)
30- )
31+ constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
32+ constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out,
33+ restore_how_many_rows, pending_how_many), jid_tuple)
34
35 results = self.cur.fetchall()
36 except sqlite.DatabaseError:
37@@ -569,7 +568,7 @@
38 except exceptions.PysqliteOperationalError, e:
39 # Error trying to create a new jid_id. This means there is no log
40 return []
41- where_sql = self._build_contact_where(account, jid)
42+ where_sql, jid_tuple = self._build_contact_where(account, jid)
43
44 start_of_day = self.get_unix_time_from_date(year, month, day)
45 seconds_in_a_day = 86400 # 60 * 60 * 24
46@@ -580,7 +579,7 @@
47 WHERE (%s)
48 AND time BETWEEN %d AND %d
49 ORDER BY time
50- ''' % (where_sql, start_of_day, last_second_of_day))
51+ ''' % (where_sql, start_of_day, last_second_of_day), jid_tuple)
52
53 results = self.cur.fetchall()
54 return results
55@@ -603,13 +602,13 @@
56 return results
57
58 else: # user just typed something, we search in message column
59- where_sql = self._build_contact_where(account, jid)
60+ where_sql, jid_tuple = self._build_contact_where(account, jid)
61 like_sql = '%' + query.replace("'", "''") + '%'
62 self.cur.execute('''
63 SELECT contact_name, time, kind, show, message, subject FROM logs
64 WHERE (%s) AND message LIKE '%s'
65 ORDER BY time
66- ''' % (where_sql, like_sql))
67+ ''' % (where_sql, like_sql), jid_tuple)
68
69 results = self.cur.fetchall()
70 return results
71@@ -622,7 +621,7 @@
72 # Error trying to create a new jid_id. This means there is no log
73 return []
74 days_with_logs = []
75- where_sql = self._build_contact_where(account, jid)
76+ where_sql, jid_tuple = self._build_contact_where(account, jid)
77
78 # First select all date of month whith logs we want
79 start_of_month = self.get_unix_time_from_date(year, month, 1)
80@@ -640,7 +639,7 @@
81 AND kind NOT IN (%d, %d)
82 ORDER BY time
83 ''' % (where_sql, start_of_month, last_second_of_month,
84- constants.KIND_STATUS, constants.KIND_GCSTATUS))
85+ constants.KIND_STATUS, constants.KIND_GCSTATUS), jid_tuple)
86 result = self.cur.fetchall()
87
88 # convert timestamps to day of month
89@@ -654,19 +653,21 @@
90 we had logs (excluding statuses)'''
91 where_sql = ''
92 if not is_room:
93- where_sql = self._build_contact_where(account, jid)
94+ where_sql, jid_tuple = self._build_contact_where(account, jid)
95 else:
96 try:
97 jid_id = self.get_jid_id(jid, 'ROOM')
98 except exceptions.PysqliteOperationalError, e:
99 # Error trying to create a new jid_id. This means there is no log
100 return None
101- where_sql = 'jid_id = %s' % jid_id
102+ where_sql = 'jid_id = ?'
103+ jid_tuple = (jid_id,)
104 self.cur.execute('''
105 SELECT MAX(time) FROM logs
106 WHERE (%s)
107 AND kind NOT IN (%d, %d)
108- ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS))
109+ ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS),
110+ jid_tuple)
111
112 results = self.cur.fetchone()
113 if results is not None:
114@@ -683,11 +684,13 @@
115 except exceptions.PysqliteOperationalError, e:
116 # Error trying to create a new jid_id. This means there is no log
117 return None
118- where_sql = 'jid_id = %s' % jid_id
119+ where_sql = 'jid_id = ?'
120+ jid_tuple = (jid_id,)
121+
122 self.cur.execute('''
123 SELECT time FROM rooms_last_message_time
124 WHERE (%s)
125- ''' % (where_sql))
126+ ''' % (where_sql), jid_tuple)
127
128 results = self.cur.fetchone()
129 if results is not None:
130@@ -709,6 +712,7 @@
131 '''build the where clause for a jid, including metacontacts
132 jid(s) if any'''
133 where_sql = ''
134+ jid_tuple = ()
135 # will return empty list if jid is not associated with
136 # any metacontacts
137 family = gajim.contacts.get_metacontacts_family(account, jid)
138@@ -718,13 +722,15 @@
139 jid_id = self.get_jid_id(user['jid'])
140 except exceptions.PysqliteOperationalError, e:
141 continue
142- where_sql += 'jid_id = %s' % jid_id
143+ where_sql += 'jid_id = ?'
144+ jid_tuple += (jid_id,)
145 if user != family[-1]:
146 where_sql += ' OR '
147 else: # if jid was not associated with metacontacts
148 jid_id = self.get_jid_id(jid)
149- where_sql = 'jid_id = %s' % jid_id
150- return where_sql
151+ where_sql = 'jid_id = ?'
152+ jid_tuple += (jid_id,)
153+ return where_sql,jid_tuple
154
155 def save_transport_type(self, jid, type_):
156 '''save the type of the transport in DB'''
157
0158
=== added file 'debian/patches/CVE-2012-2093.dpatch'
--- debian/patches/CVE-2012-2093.dpatch 1970-01-01 00:00:00 +0000
+++ debian/patches/CVE-2012-2093.dpatch 2012-05-10 19:54:17 +0000
@@ -0,0 +1,114 @@
1#! /bin/sh /usr/share/dpatch/dpatch-run
2## Description: fix insecure tmpfile creation CVE-2012-2093
3## Origin: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668710
4## Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668710
5## CVE-2012-2093.dpatch by Julian Taylor <jtaylor@ubuntu.com>
6##
7## All lines beginning with `## DP:' are a description of the patch.
8## DP: No description.
9
10@DPATCH@
11diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gajim-lucid.orig~/src/common/latex.py gajim-lucid.orig/src/common/latex.py
12--- gajim-lucid.orig~/src/common/latex.py 2012-05-01 15:19:52.000000000 +0200
13+++ gajim-lucid.orig/src/common/latex.py 2012-05-01 15:26:22.031113594 +0200
14@@ -29,7 +29,7 @@
15
16 import os
17 import random
18-from tempfile import gettempdir
19+from tempfile import gettempdir,mkstemp,mkdtemp
20 from subprocess import Popen, PIPE
21
22 import logging
23@@ -57,10 +57,10 @@
24 return True
25 return False
26
27-def get_tmpfile_name():
28+def get_tmpfile_name(tmpdir):
29 random.seed()
30 int_ = random.randint(0, 100)
31- return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__())
32+ return os.path.join(tmpdir, 'gajimtex_' + int_.__str__())
33
34 def write_latex(filename, str_):
35 texstr = '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}'
36@@ -78,12 +78,12 @@
37 # a wrapper for Popen so that no window gets opened on Windows
38 # (i think this is the reason we're using Popen rather than just system())
39 # stdout goes to a pipe so that it can be read
40-def popen_nt_friendly(command):
41+def popen_nt_friendly(command, directory):
42 if os.name == 'nt':
43 # CREATE_NO_WINDOW
44- return Popen(command, creationflags=0x08000000, cwd=gettempdir(), stdout=PIPE)
45+ return Popen(command, creationflags=0x08000000, cwd=directory, stdout=PIPE)
46 else:
47- return Popen(command, cwd=gettempdir(), stdout=PIPE)
48+ return Popen(command, cwd=directory, stdout=PIPE)
49
50 def check_for_latex_support():
51 '''check is latex is available and if it can create a picture.'''
52@@ -98,9 +98,9 @@
53 except LatexError:
54 return False
55
56-def try_run(argv):
57+def try_run(argv, directory):
58 try:
59- p = popen_nt_friendly(argv)
60+ p = popen_nt_friendly(argv, directory)
61 out = p.communicate()[0]
62 log.info(out)
63 return p.wait()
64@@ -125,21 +125,28 @@
65 # we triggered the blacklist, immediately return None
66 return None
67
68- tmpfile = get_tmpfile_name()
69+ tmpdir = ""
70+ tmppng = ""
71+ try:
72+ tmpdir = mkdtemp(prefix="gajim")
73+ tmppng = mkstemp(suffix=".png")[1]
74+ except Exception:
75+ raise LatexError("could not securely create one or more temporary files for LaTeX conversion")
76
77+ tmpfile = get_tmpfile_name(tmpdir)
78 # build latex string
79 write_latex(os.path.join(tmpfile + '.tex'), str_)
80
81 # convert TeX to dvi
82 exitcode = try_run(['latex', '--interaction=nonstopmode',
83- tmpfile + '.tex'])
84+ tmpfile + '.tex'], tmpdir)
85
86 if exitcode == 0:
87 # convert dvi to png
88 latex_png_dpi = gajim.config.get('latex_png_dpi')
89 exitcode = try_run(['dvipng', '-bg', bg_str, '-fg', fg_str, '-T',
90 'tight', '-D', latex_png_dpi, tmpfile + '.dvi', '-o',
91- tmpfile + '.png'])
92+ tmpfile + '.png'], tmpdir)
93
94 # remove temp files created by us and TeX
95 extensions = ['.tex', '.log', '.aux', '.dvi']
96@@ -149,11 +156,17 @@
97 except Exception:
98 pass
99
100+ if exitcode == 0:
101+ os.rename(tmpfile + '.png', tmppng)
102+ else:
103+ os.remove(tmppng)
104+
105+ os.rmdir(tmpdir)
106 if isinstance(exitcode, (unicode, str)):
107 raise LatexError(exitcode)
108
109 if exitcode == 0:
110- result = tmpfile + '.png'
111+ result = tmppng
112
113 return result
114

Subscribers

People subscribed via source and target branches

to all changes: