kubuntu-packaging

Merge ~tsimonq2/kubuntu-packaging/+git/kubuntu-kopete:kubuntu_zesty_archive into ~kubuntu-packagers/kubuntu-packaging/+git/kopete:kubuntu_zesty_archive

  1. Git
  2. lp:~tsimonq2/kubuntu-packaging/+git/kubuntu-kopete
  3. kubuntu_zesty_archive
  4. Merge into kubuntu_zesty_archive
Proposed by Simon Quigley on 2017-02-15
Status: Merged
Merged at revision: 264c59251522eadcc894c89a42c1109850caab9c
Proposed branch: ~tsimonq2/kubuntu-packaging/+git/kubuntu-kopete:kubuntu_zesty_archive
Merge into: ~kubuntu-packagers/kubuntu-packaging/+git/kopete:kubuntu_zesty_archive
Diff against target: 149 lines (+129/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch (+119/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Kubuntu Packagers 2017-02-15 Pending
Review via email: mp+317411@code.launchpad.net

Description of the Change

Sync my Kopete CVE fix from the archive.

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 9754144..150fb4b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+kopete (4:16.12.1-0ubuntu3) zesty; urgency=medium
7+
8+ * SECURITY UPDATE: User Impersonation Vulnerability in Jabber protocol
9+ (LP: #1663950)
10+ - CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch
11+ - CVE-2017-5593
12+
13+ -- Simon Quigley <tsimonq2@ubuntu.com> Sat, 11 Feb 2017 18:19:49 -0600
14+
15 kopete (4:16.12.1-0ubuntu2) zesty; urgency=medium
16
17 * Removal of libjasper as per Debian lead. This removes
18diff --git a/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch b/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch
19new file mode 100644
20index 0000000..c3e0050
21--- /dev/null
22+++ b/debian/patches/CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch
23@@ -0,0 +1,119 @@
24+Description: User Impersonation Vulnerability in Jabber protocol
25+ An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP
26+ clients allows a remote attacker to impersonate any user, including contacts,
27+ in the vulnerable application's display. This allows for various kinds of
28+ social engineering attacks.
29+ .
30+ This patch can be removed in kopete 16.12.3 and on.
31+Author: Pali Rohár <pali.rohar@gmail.com>
32+Origin: upstream
33+Bug: https://bugs.kde.org/show_bug.cgi?id=376348
34+Applied-Upstream: 6243764c4fd0985320d4a10b48051cc418d584ad
35+Last-Update: 2017-02-11
36+---
37+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
38+--- /dev/null
39++++ b/protocols/jabber/libiris/patches/01_cve_2017-5593.patch
40+@@ -0,0 +1,52 @@
41++diff --git a/src/xmpp/xmpp-im/xmpp_tasks.cpp b/src/xmpp/xmpp-im/xmpp_tasks.cpp
42++index 0e74b71..0837548 100644
43++--- a/src/xmpp/xmpp-im/xmpp_tasks.cpp
44+++++ b/src/xmpp/xmpp-im/xmpp_tasks.cpp
45++@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElement &e)
46++ QDomElement forward;
47++ Message::CarbonDir cd = Message::NoCarbon;
48++
49+++ Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
50++ // Check for Carbon
51++ QDomNodeList list = e1.childNodes();
52++ for (int i = 0; i < list.size(); ++i) {
53++ QDomElement el = list.at(i).toElement();
54++
55++- if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
56+++ if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
57+++ && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
58+++ && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
59++ QDomElement el1 = el.firstChildElement();
60++- if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
61+++ if (el1.tagName() == QLatin1String("forwarded")
62+++ && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
63++ QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
64++ if (!el2.isNull()) {
65++ forward = el2;
66++@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElement &e)
67++ }
68++ }
69++ }
70++- else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
71+++ else if (el.tagName() == QLatin1String("forwarded")
72+++ && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
73++ forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
74++ // TODO <delay> element support
75++ if (!forward.isNull()) {
76++@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElement &e)
77++ }
78++ }
79++
80++- QString from = e1.attribute(QLatin1String("from"));
81++ Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
82++ if(s.isNull()) {
83++ //printf("take: bad stanza??\n");
84++@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElement &e)
85++ return false;
86++ }
87++ if (!forward.isNull()) {
88++- m.setForwardedFrom(Jid(from));
89+++ m.setForwardedFrom(fromJid);
90++ m.setCarbonDirection(cd);
91++ }
92++
93+--- a/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
94++++ b/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
95+@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElem
96+ QDomElement forward;
97+ Message::CarbonDir cd = Message::NoCarbon;
98+
99++ Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
100+ // Check for Carbon
101+ QDomNodeList list = e1.childNodes();
102+ for (int i = 0; i < list.size(); ++i) {
103+ QDomElement el = list.at(i).toElement();
104+
105+- if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
106++ if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
107++ && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
108++ && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
109+ QDomElement el1 = el.firstChildElement();
110+- if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
111++ if (el1.tagName() == QLatin1String("forwarded")
112++ && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
113+ QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
114+ if (!el2.isNull()) {
115+ forward = el2;
116+@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElem
117+ }
118+ }
119+ }
120+- else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
121++ else if (el.tagName() == QLatin1String("forwarded")
122++ && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
123+ forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
124+ // TODO <delay> element support
125+ if (!forward.isNull()) {
126+@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElem
127+ }
128+ }
129+
130+- QString from = e1.attribute(QLatin1String("from"));
131+ Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
132+ if(s.isNull()) {
133+ //printf("take: bad stanza??\n");
134+@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElem
135+ return false;
136+ }
137+ if (!forward.isNull()) {
138+- m.setForwardedFrom(Jid(from));
139++ m.setForwardedFrom(fromJid);
140+ m.setCarbonDirection(cd);
141+ }
142+
143diff --git a/debian/patches/series b/debian/patches/series
144index cdf8ab8..070e885 100644
145--- a/debian/patches/series
146+++ b/debian/patches/series
147@@ -1 +1,2 @@
148 disable_failing_test.diff
149+CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch

Subscribers

People subscribed via source and target branches