[Pkg-xmpp-devel] Bug#963134: /show can crash gajim on encoding errors

Enrico Zini enrico at debian.org
Fri Jun 19 14:10:57 BST 2020 

Package: gajim
Version: 1.1.2-2
Severity: normal

Hello,

Thank you for maintaining gajim.

I just learnt of the /show command, which runs a shell command and posts
its output. It works exactly as intended. What could possibly go wrong?

It even has 4 aliases: show, sh, execute, exec. The /show alias is
particularly interesting because it looks quite innocuous if one doesn't
already know what it does.

Anyway, this makes gajim throw a nice UnicodeDecodeError:

   /show dd if=/dev/urandom bs=512 count=1


Enrico

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gajim depends on:
ii  gir1.2-gtk-3.0       3.24.5-1
ii  python3              3.7.3-1
ii  python3-cssutils     1.0.2-2
ii  python3-gi           3.30.4-1
ii  python3-gi-cairo     3.30.4-1
ii  python3-idna         2.6-1
ii  python3-keyring      17.1.1-1
ii  python3-nbxmpp       0.6.10-1
ii  python3-openssl      19.0.0-1
ii  python3-precis-i18n  1.0.0-1

Versions of packages gajim recommends:
ii  alsa-utils                                1.1.8-2
ii  aspell-en [aspell-dictionary]             2018.04.16-0-1
ii  ca-certificates                           20190110
ii  dbus                                      1.12.16-1
ii  fonts-noto-color-emoji                    0~20180810-1
ii  gajim-omemo                               2.6.27-1
ii  gajim-pgp                                 1.2.24-1
ii  gir1.2-farstream-0.2                      0.2.8-4.1
ii  gir1.2-geoclue-2.0                        2.5.2-1
ii  gir1.2-gspell-1                           1.6.1-2
ii  gir1.2-gst-plugins-base-1.0               1.14.4-2
ii  gir1.2-gstreamer-1.0                      1.14.4-1
ii  gir1.2-gupnpigd-1.0                       0.2.5-3
ii  gir1.2-secret-1                           0.18.7-1
ii  gstreamer1.0-plugins-ugly                 1.14.4-1
ii  lxqt-notificationd [notification-daemon]  0.14.1-1
ii  notification-daemon                       3.20.0-4
ii  pulseaudio-utils                          12.2-4+deb10u1
ii  python3-crypto                            2.6.1-9+b1
ii  python3-dbus                              1.2.8-3
ii  python3-gnupg                             0.4.4-1
ii  python3-pil                               5.4.1-2+deb10u1
ii  xfce4-notifyd [notification-daemon]       0.4.3-1

Versions of packages gajim suggests:
ii  avahi-daemon      0.7-4+b1
ii  libxss1           1:1.2.3-1
pn  nautilus-sendto   <none>
ii  python3-kerberos  1.1.14-2
ii  python3-pycurl    7.43.0.2-0.1

-- no debconf information

More information about the Pkg-xmpp-devel mailing list