tags 668710 + patch tags 668710 + pending thanks Dear maintainer,
I've prepared an NMU for gajim (versioned as 0.15-1.1) and uploaded it to DELAYED/02. Please feel free to tell me if I should delay it longer. Cheers Luk
diff -u gajim-0.15/debian/changelog gajim-0.15/debian/changelog --- gajim-0.15/debian/changelog +++ gajim-0.15/debian/changelog @@ -1,3 +1,11 @@ +gajim (0.15-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2012-2093: insecure use of temporary files when convering LaTeX + IM messages to png images. Closes: #668710 + + -- Luk Claes <[email protected]> Sat, 16 Jun 2012 18:22:00 +0200 + gajim (0.15-1) unstable; urgency=low * New upstream release. only in patch2: unchanged: --- gajim-0.15.orig/src/common/latex.py +++ gajim-0.15/src/common/latex.py @@ -29,7 +29,7 @@ import os import random -from tempfile import gettempdir +from tempfile import gettempdir,mkstemp,mkdtemp from subprocess import Popen, PIPE import logging @@ -57,10 +57,10 @@ return True return False -def get_tmpfile_name(): +def get_tmpfile_name(tmpdir): random.seed() int_ = random.randint(0, 100) - return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__()) + return os.path.join(tmpdir, 'gajimtex_' + int_.__str__()) def write_latex(filename, str_): texstr = '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}' @@ -78,12 +78,12 @@ # a wrapper for Popen so that no window gets opened on Windows # (i think this is the reason we're using Popen rather than just system()) # stdout goes to a pipe so that it can be read -def popen_nt_friendly(command): +def popen_nt_friendly(command, directory): if os.name == 'nt': # CREATE_NO_WINDOW - return Popen(command, creationflags=0x08000000, cwd=gettempdir(), stdout=PIPE) + return Popen(command, creationflags=0x08000000, cwd=directory, stdout=PIPE) else: - return Popen(command, cwd=gettempdir(), stdout=PIPE) + return Popen(command, cwd=directory, stdout=PIPE) def check_for_latex_support(): """ @@ -99,9 +99,9 @@ except LatexError: return False -def try_run(argv): +def try_run(argv, directory): try: - p = popen_nt_friendly(argv) + p = popen_nt_friendly(argv, directory) out = p.communicate()[0] log.info(out) return p.wait() @@ -131,25 +131,32 @@ # we triggered the blacklist, immediately return None return None - tmpfile = get_tmpfile_name() + tmpdir = "" + tmppng = "" + try: + tmpdir = mkdtemp(prefix="gajim") + tmppng = mkstemp(suffix=".png")[1] + except Exception: + raise LatexError("could not securely create one or more temporary files for LaTeX conversion") + tmpfile = get_tmpfile_name(tmpdir) # build latex string write_latex(os.path.join(tmpfile + '.tex'), str_) # convert TeX to dvi exitcode = try_run(['latex', '--interaction=nonstopmode', - tmpfile + '.tex']) + tmpfile + '.tex'], tmpdir) if exitcode == 0: # convert dvi to png latex_png_dpi = gajim.config.get('latex_png_dpi') exitcode = try_run(['dvipng'] + fg_str('tex') + ['-T', 'tight', '-D', - latex_png_dpi, tmpfile + '.dvi', '-o', tmpfile + '.png']) + latex_png_dpi, tmpfile + '.dvi', '-o', tmpfile + '.png'], tmpdir) if exitcode: # dvipng failed, try convert exitcode = try_run(['convert'] + fg_str('hex') + ['-trim', - '-density', latex_png_dpi, tmpfile + '.dvi', tmpfile + '.png']) + '-density', latex_png_dpi, tmpfile + '.dvi', tmpfile + '.png'], tmpdir) # remove temp files created by us and TeX extensions = ['.tex', '.log', '.aux', '.dvi'] @@ -159,10 +166,17 @@ except Exception: pass + if exitcode == 0: + os.rename(tmpfile + '.png', tmppng) + else: + os.remove(tmppng) + + os.rmdir(tmpdir) + if isinstance(exitcode, (unicode, str)): raise LatexError(exitcode) if exitcode == 0: - result = tmpfile + '.png' + result = tmppng return result
