Hello community, here is the log from the commit of package telepathy-gabble for openSUSE:11.3 checked in at Tue Feb 22 15:30:22 CET 2011.
-------- --- old-versions/11.3/all/telepathy-gabble/telepathy-gabble.changes 2010-05-11 19:14:42.000000000 +0200 +++ 11.3/telepathy-gabble/telepathy-gabble.changes 2011-02-21 19:06:11.000000000 +0100 @@ -1,0 +2,10 @@ +Mon Feb 21 16:24:13 CET 2011 - [email protected] + +- Add telepathy-gabble-CVE-2011-1000.patch: this fixes insufficient + input validation, that could be exploited. Fix CVE-2011-1000 and + bnc#673257. +- Add telepathy-gabble-wocky_stanza_get_from.patch: this adds some + really simple API to wocky, needed by + telepathy-gabble-CVE-2011-1000.patch. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/telepathy-gabble Destination is old-versions/11.3/UPDATES/all/telepathy-gabble calling whatdependson for 11.3-i586 New: ---- telepathy-gabble-CVE-2011-1000.patch telepathy-gabble-wocky_stanza_get_from.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ telepathy-gabble.spec ++++++ --- /var/tmp/diff_new_pack.iaGCVU/_old 2011-02-22 15:29:57.000000000 +0100 +++ /var/tmp/diff_new_pack.iaGCVU/_new 2011-02-22 15:29:57.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package telepathy-gabble (Version 0.9.11) +# spec file for package telepathy-gabble # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: telepathy-gabble Version: 0.9.11 -Release: 1 +Release: 2.<RELEASE2> # FIXME: switch to libgnutls-devel once we have a recent enough version of gnutls License: LGPLv2.1+ Summary: XMPP connection manager for Telepathy @@ -28,6 +28,10 @@ Source: %{name}-%{version}.tar.bz2 # PATCH-FIX-OPENSUSE telepathy-gabble-include-uuid-fix.patch [email protected] -- Fix build on 11.1 because of broken libuuid pkg-config file there. See bnc#489136 Patch: telepathy-gabble-include-uuid-fix.patch +# PATCH-FIX-UPSTREAM telepathy-gabble-wocky_stanza_get_from.patch [email protected] -- add wocky API needed for telepathy-gabble-CVE-2011-1000.patch +Patch1: telepathy-gabble-wocky_stanza_get_from.patch +# PATCH-FIX-UPSTREAM telepathy-gabble-CVE-2011-1000.patch CVE-2011-1000 bnc#673257 fdo#34048 [email protected] -- insufficient input validation, taken from upstream +Patch2: telepathy-gabble-CVE-2011-1000.patch BuildRequires: dbus-1-glib-devel BuildRequires: libopenssl-devel BuildRequires: libsoup-devel @@ -62,6 +66,10 @@ %if 0%{suse_version} == 1110 %patch -p1 %endif +pushd lib/ext/wocky +%patch1 -p1 +popd +%patch2 -p1 %build %configure \ ++++++ telepathy-gabble-CVE-2011-1000.patch ++++++ >From 5ab349b6837389d21a2664a71db464d1b9c6644c Mon Sep 17 00:00:00 2001 From: Will Thompson <[email protected]> Date: Tue, 8 Feb 2011 18:43:21 +0000 Subject: [PATCH] Ignore google:jingleinfo pushes from contacts. Previously, Gabble would erroneously process google:jingleinfo updates sent by anybody, rather than only paying attention to those sent by the user's server. This may theoretically allow an attacker to trick Gabble into relaying streamed media through a server of the attacker's choosing, enabling them to intercept, obstruct or modify the user's audio and video calls. This patch addresses this flaw, following the same pattern as the corresponding check in the roster code. Note that even without this flaw, no security guarantees on media in calls can be provided in the presence of malicious network admins or insecure networks: an attacker who can eavesdrop the network traffic still has the ability to intercept the content of the call, as the media is transmitted unencrypted. --- src/jingle-factory.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/src/jingle-factory.c b/src/jingle-factory.c index 4a1cf6c..07d9542 100644 --- a/src/jingle-factory.c +++ b/src/jingle-factory.c @@ -259,6 +259,22 @@ got_jingle_info_stanza (GabbleJingleFactory *fac, GabbleJingleFactoryPrivate *priv = fac->priv; LmMessageSubType sub_type; LmMessageNode *query_node, *node; + const gchar *from = wocky_stanza_get_from (message); + + if (from != NULL) + { + TpBaseConnection *base_conn = TP_BASE_CONNECTION (priv->conn); + TpHandleRepoIface *contact_repo = tp_base_connection_get_handles ( + base_conn, TP_HANDLE_TYPE_CONTACT); + TpHandle sender = tp_handle_lookup (contact_repo, from, NULL, NULL); + + if (sender != base_conn->self_handle) + { + DEBUG ("ignoring jingleinfo from '%s', not ourself nor the server", + from); + return LM_HANDLER_RESULT_ALLOW_MORE_HANDLERS; + } + } query_node = lm_message_node_get_child_with_namespace ( wocky_stanza_get_top_node (message), "query", NS_GOOGLE_JINGLE_INFO); -- 1.7.2.3 ++++++ telepathy-gabble-wocky_stanza_get_from.patch ++++++ >From 181a042eb85a59497d6361b68d125df0db4ed092 Mon Sep 17 00:00:00 2001 From: Will Thompson <[email protected]> Date: Tue, 19 Oct 2010 18:55:55 +0100 Subject: [PATCH] Add wocky_stanza_get_{from,to} --- wocky/wocky-stanza.c | 34 ++++++++++++++++++++++++++++++++++ wocky/wocky-stanza.h | 3 +++ 2 files changed, 37 insertions(+), 0 deletions(-) diff --git a/wocky/wocky-stanza.c b/wocky/wocky-stanza.c index 4fdd62b..3faefae 100644 --- a/wocky/wocky-stanza.c +++ b/wocky/wocky-stanza.c @@ -559,3 +559,37 @@ wocky_stanza_get_top_node (WockyStanza *self) { return wocky_node_tree_get_top_node (WOCKY_NODE_TREE (self)); } + +/** + * wocky_stanza_get_from: + * @self: a stanza + * + * <!-- moo --> + * + * Returns: The sender of @self, or %NULL if no sender was specified. + */ +const gchar * +wocky_stanza_get_from (WockyStanza *self) +{ + g_return_val_if_fail (self != NULL, NULL); + g_return_val_if_fail (WOCKY_IS_STANZA (self), NULL); + + return wocky_node_get_attribute (wocky_stanza_get_top_node (self), "from"); +} + +/** + * wocky_stanza_get_to: + * @self: a stanza + * + * <!-- moo --> + * + * Returns: The recipient of @self, or %NULL if no recipient was specified. + */ +const gchar * +wocky_stanza_get_to (WockyStanza *self) +{ + g_return_val_if_fail (self != NULL, NULL); + g_return_val_if_fail (WOCKY_IS_STANZA (self), NULL); + + return wocky_node_get_attribute (wocky_stanza_get_top_node (self), "to"); +} diff --git a/wocky/wocky-stanza.h b/wocky/wocky-stanza.h index eae7e0c..d0d179f 100644 --- a/wocky/wocky-stanza.h +++ b/wocky/wocky-stanza.h @@ -111,6 +111,9 @@ WockyStanza * wocky_stanza_build (WockyStanzaType type, void wocky_stanza_get_type_info (WockyStanza *stanza, WockyStanzaType *type, WockyStanzaSubType *sub_type); +const gchar *wocky_stanza_get_from (WockyStanza *self); +const gchar *wocky_stanza_get_to (WockyStanza *self); + WockyStanza * wocky_stanza_build_va (WockyStanzaType type, WockyStanzaSubType sub_type, const gchar *from, -- 1.7.2.3 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
