MGASA-2012-0161
| Date: | July 13th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated gajim package fixes security vulnerabilities:
Gajim is not properly sanitizing input before passing it to shell
commands. An attacker can use this flaw to execute arbitrary code on
behalf of the victim if the user e.g. clicks on a specially crafted
URL in an instant message (CVE-2012-2085).
Gajim is using predictable temporary files in an insecure manner when
converting instant messages containing LaTeX to images. A local attacker
can use this flaw to conduct symlink attacks and overwrite files the
victim has write access to (CVE-2012-2093).
Gajim is not properly sanitizing input when logging conversations which
results in the possibility to conduct SQL injection attacks (CVE-2012-2086).
Updated Packages:
Mageia 1:
gajim-0.15-1.1.mga1
Mageia 2:
gajim-0.15-1.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2093
http://www.debian.org/security/2012/dsa-2453
https://bugs.mageia.org/show_bug.cgi?id=5432
