Bug 811651 (CVE-2012-2093)

Summary: CVE-2012-2093 gajim (LaTeX module): Insecure creation of temporary file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, mschmidt
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120410,reported=20120410,source=oss-security,cvss2=3.3/AV:L/AC:M/Au:N/C:N/I:P/A:P,fedora-all/gajim=affected,epel-all/gajim=affected,cwe=CWE-377
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 14:09:22 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 811654, 811655    
Bug Blocks:    

Description Jan Lieskovsky 2012-04-11 11:50:57 EDT
An insecure temporary file use flaw was found in the way the LaTeX module of Gajim, a PyGTK based Jabber client, performed (La)TeX source code to PNG image file conversion. A local attacker could use this flaw to conduct symbolic link attacks (overwrite or remove files, belonging to the user account, gajim executable was run in context of).

CVE Request:
[1] http://www.openwall.com/lists/oss-security/2012/04/10/6

CVE Assignment:
[2] http://www.openwall.com/lists/oss-security/2012/04/10/15
Comment 1 Jan Lieskovsky 2012-04-11 11:53:15 EDT
This issue affects the versions of the gajim package, as shipped with Fedora EPEL 5, Fedora EPEL 6, and Fedora release of 15 and 16. Please schedule an update (once there is final upstream patch known).
Comment 2 Jan Lieskovsky 2012-04-11 11:54:17 EDT
Created gajim tracking bugs for this issue

Affects: fedora-all [bug 811654]
Affects: epel-all [bug 811655]
Comment 3 Jan Lieskovsky 2012-04-11 12:06:19 EDT
Upstream patch proposal (though I am not sure this would completely prevent the issue => needs devel review and confirmation):

[3] http://hg.gajim.org/gajim/rev/bac8e353d25c
Comment 4 Michal Schmidt 2012-04-12 08:30:17 EDT
(In reply to comment #3)
> Upstream patch proposal (though I am not sure this would completely prevent the
> issue => needs devel review and confirmation):
> 
> [3] http://hg.gajim.org/gajim/rev/bac8e353d25c

It makes an attack harder, but is still not fully safe.
Comment 5 Jan Lieskovsky 2012-04-12 08:47:23 EDT
(In reply to comment #4)
> (In reply to comment #3)
> > Upstream patch proposal (though I am not sure this would completely prevent the
> > issue => needs devel review and confirmation):
> > 
> > [3] http://hg.gajim.org/gajim/rev/bac8e353d25c
> 
> It makes an attack harder, but is still not fully safe.

Thanks, Michal. Would it be possible then completely to get rid of 'gajimtex_' string when trying to create temporary file location, and make it fully random? (to prevent this)

Thanks, Jan.
Comment 6 Fedora Update System 2012-04-26 16:09:36 EDT
gajim-0.15-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-04-27 01:53:51 EDT
gajim-0.15-2.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-04-27 01:54:30 EDT
gajim-0.15-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-05-04 11:58:13 EDT
gajim-0.14.4-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.