Bug 763452 - [server:messaging] gajim security issue
[server:messaging] gajim security issue
Status: VERIFIED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Pascal Bleser
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-22 13:51 UTC by Marcus Meissner
Modified: 2012-05-24 19:09 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch to fix CVE-2012-2093 in gajim and use tempfile.mkstemp to securely create temporary files (1.07 KB, patch)
2012-05-24 18:15 UTC, Pascal Bleser
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2012-05-22 13:51:58 UTC
is public, via oss-sec

not in any shipping distro, only in server:messaging.

CVE-2012-2093

src/common/latex.py in Gajim 0.15 allows local users to overwrite arbitrary files via a symlink attack on a temporary latex file, related to the get_tmpfile_name function.


Date: Tue, 10 Apr 2012 05:43:16 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Cc: asterix@...aule.org
Subject: gajim insecure file creation when using latex

Hi,
Gajim seems to support latex in instant messages. This is implemented by
dumping the content to a .tex template on disk and converting the result to an 
image. To prevent security problems, it is at least checking the input for 
dangerous latex commands such as \input (as far as I can see nothing is 
missing from this list).

However, it fails to create this temporary file in a secure manner:
From src/common/latex.py:
60 def get_tmpfile_name():
61         random.seed()
62         int_ = random.randint(0, 100)
63         return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__())
...
113 def latex_to_image(str_):
114         result = None
115         exitcode = 0
116 
117         try:
118                 bg_str, fg_str = gajim.interface.get_bg_fg_colors()
119         except:
120                 # interface may not be available when we test latext at startup
121                 bg_str, fg_str = 'rgb 1.0 1.0 1.0', 'rgb 0.0 0.0 0.0'
122 
123         # filter latex code with bad commands
124         if check_blacklist(str_):
125                 # we triggered the blacklist, immediately return None
126                 return None
127 
128         tmpfile = get_tmpfile_name()
130         # build latex string
131         write_latex(os.path.join(tmpfile + '.tex'), str_)
and finally:
65 def write_latex(filename, str_):
66         texstr = '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}'
67         texstr += '\\usepackage{amsmath}\\usepackage{amssymb}'
68         texstr += '\\pagestyle{empty}'
69         texstr += '\\begin{document}\\begin{large}\\begin{gather*}'
70         texstr += str_
71         texstr += '\\end{gather*}\\end{large}\\end{document}'
72 
73         file_ = open(filename, "w+")
74         file_.write(texstr)
75         file_.flush()
76         file_.close()

I think this is of pretty minor severity even though it still allows a local attacker
to overwrite files the victim has write access to with latex content by using symlinks
and latex IMs are used.
Comment 1 Pascal Bleser 2012-05-24 18:15:27 UTC
Created attachment 492365 [details]
patch to fix CVE-2012-2093 in gajim and use tempfile.mkstemp to securely create temporary files
Comment 2 Pascal Bleser 2012-05-24 19:07:30 UTC
Has been filed upstream as bug 7162: https://trac.gajim.org/ticket/7162
Comment 3 Pascal Bleser 2012-05-24 19:08:43 UTC
Closing, fixed, by using tempfile.mkstemp() instead.
Comment 4 Pascal Bleser 2012-05-24 19:09:54 UTC
Comitted to the gajim package in server:messaging as revision 17: https://build.opensuse.org/package/rdiff?linkrev=base&package=gajim&project=server%3Amessaging&rev=17