Mageia alert MGASA-2012-0161 (gajim) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0161: gajim-0.15-1.1.mga (1, 2/core) 
Date:
    	       Fri, 13 Jul 2012 22:26:07 +0200
Message-ID:
    	       <20120713202607.GA32032@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0161
Date: 	July 13th, 2012
Affected releases: 	1, 2


Description:
Updated gajim package fixes security vulnerabilities:

Gajim is not properly sanitizing input before passing it to shell
commands. An attacker can use this flaw to execute arbitrary code on
behalf of the victim if the user e.g. clicks on a specially crafted
URL in an instant message (CVE-2012-2085).

Gajim is using predictable temporary files in an insecure manner when
converting instant messages containing LaTeX to images. A local attacker
can use this flaw to conduct symlink attacks and overwrite files the
victim has write access to (CVE-2012-2093).

Gajim is not properly sanitizing input when logging conversations which
results in the possibility to conduct SQL injection attacks
(CVE-2012-2086).


Updated Packages:
Mageia 1:
gajim-0.15-1.1.mga1

Mageia 2:
gajim-0.15-1.1.mga2

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093
http://www.debian.org/security/2012/dsa-2453
https://bugs.mageia.org/show_bug.cgi?id=5432
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)