Hello community, here is the log from the commit of package telepathy-gabble.1728 for openSUSE:12.3:Update checked in at 2013-06-14 16:52:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/telepathy-gabble.1728 (Old) and /work/SRC/openSUSE:12.3:Update/.telepathy-gabble.1728.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "telepathy-gabble.1728" Changes: -------- New Changes file: --- /dev/null 2013-06-12 16:57:03.272031756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.telepathy-gabble.1728.new/telepathy-gabble.changes 2013-06-14 16:52:03.000000000 +0200 @@ -0,0 +1,1710 @@ +------------------------------------------------------------------- +Mon Jun 3 22:31:21 CEST 2013 - [email protected] + +- Add telepathy-gabble-cve-2013-1431.patch (bnc#822586). This makes + it respect the TLS-required flag on legacy Jabber servers. + Identified as CVE-2013-1431. + +------------------------------------------------------------------- +Thu Mar 14 21:22:50 CET 2013 - [email protected] + +- Add telepathy-gabble-cve-2013-1769.patch (bnc#807449). This + fixes remotely-triggered DoS vulnerabilities identified as + CVE-2013-1769. + +------------------------------------------------------------------- +Wed Sep 12 06:54:47 UTC 2012 - [email protected] + +- Update to version 0.17.1: + + Enhancements: + - fdo#32612: Old-style Tube channels have been removed. + - Tube and Text channels are no longer announced together. + + Fixes: + - Make sure capability discovery works for the camera-v1 + capability bundle, avoiding an iChat bug in which it repeats + failed capability discovery requests in a rapid loop + (fdo#54634) + - Fix some race conditions and other brokenness in the tests +- Add pkgconfig(glib-2.0) BuildRequires so it can be versioned. + +------------------------------------------------------------------- +Mon Aug 27 08:11:16 UTC 2012 - [email protected] + +- Update to version 0.17.0: + + Fix calls with android devices. + + Implement WLM jidlookup. This makes possible to add MSN + contacts using XMPP. + + Fix google caps parsing. + +------------------------------------------------------------------- +Thu Aug 23 11:14:24 UTC 2012 - [email protected] + +- Update to version 0.16.2 + + Fixes: Crash in tp_base_channel_close (fdo#53087). + +------------------------------------------------------------------- +Thu Jun 21 08:34:28 UTC 2012 - [email protected] + +- Update to version 0.16.1: + + "see-other-host" stream error is now supported. This fix + connection issue with Windows Live XMPP server. + + fdo#36998: Fail to establish a video call with Android. + +------------------------------------------------------------------- +Thu Jun 7 19:41:40 UTC 2012 - [email protected] + +- Moved the console plugin to telepathy-gabble-xmpp-console + +------------------------------------------------------------------- +Fri Apr 6 14:11:58 UTC 2012 - [email protected] + +- Update to version 0.16.0: + + Install plugins in their own special (versioned) gabble + directory so we're not installing unversioned ABI-unstable + libraries. + + The DownloadAtConnection and Download ContactList members have + been implemented. + + Handle errors in IBB bytestreams (fdo#47999). + +------------------------------------------------------------------- +Sun Mar 25 18:57:20 UTC 2012 - [email protected] + +- Update to version 0.15.5: + + Enhancements: + - fdo#46513: Refactor Jingle code to remove Telepathy in + preparation of moving it to Wocky. + - fdo#45602: Subclass TpBaseChannel in more channel + implemenations. + - fdo#47502: Add a --disable-voip configure flag to disable + building gabble with VoIP support. + + Fixes: + - Correctly convert between Telepathy and Jingle candidate + types. + - Start sending automatically on accepting bidirectional calls. +- Change dbus-1-glib-devel BuildRequires to pkgconfig(dbus-glib-1). + +------------------------------------------------------------------- +Wed Feb 22 07:20:36 UTC 2012 - [email protected] + +- Update to version 0.15.4: + + Enhancements: + - Add support for the final version of Call1 from + telepathy-spec 0.25.2 and remove the telepathy-yell + submodule. + - fdo#41790: Make file transfer support optional + - fdo#44056: telepathy-gabble-xmpp-console no longer mixes GIR + and pygtk. + - fdo#33911: The Loudmouth API compatibility layer has been + removed. + - fdo#45491: Error messages provided by the server in <presence + type='error'/> stanzas are now exposed via the SimplePresence + API. This makes it easier for users to distinguish contacts + being offline from contacts' servers being broken. + - fdo#44649: Gabble now has a gabble-plugins.so library, + similarly to mission-control. + + API changes to Wocky snapshot: + - fdo#45400: WockyPepService's API has changed a little bit. + - fdo#34975: WockyPorter is now responsible for sending back + error replies for unhandled IQs, whereas previously this was + up to Gabble. + - fdo#27489: including <wocky/wocky.h> now includes all public + API from Wocky, and including any other header directly is + forbidden. + + Fixes: + - fdo#44331: Gabble plugin API fails at runtime on Windows: + gabble_plugin_create_sidecar function is renamed to + gabble_plugin_create_sidecar_async and new virtual function + gabble_plugin_create_sidecar_finish is introduced. + - fdo#45443 (workaround): avoid testing Credentials access + control, since recent Linux has stricter requirements for + credentials-passing (it's now opt-in) which we're not yet + meeting. + - fdo#46379: don't raise a GError with domain 0. + - fdo#44855: work around Google's unimplemented capability + discovery by hard-coding the capabilities of the GTalk echo + bot. + - Work around the deprecation of GValueArray. +- Remove doc subpackage, and add appropriate Provides/Obsoletes to + the main subpackage: the doc is too small to make sense as a + separate package. + +------------------------------------------------------------------- +Thu Dec 22 21:36:49 UTC 2011 - [email protected] + +- Update to version 0.15.3: + + Fixes: + - fdo#43891: Update wocky snapshot to fix + wocky_data_form_set_type() +- Changes from version 0.15.2: + + Enhancements: + - fdo#43588, fdo#43889: Add public + gabble_connection_add_sidecar_own_caps_full() function which + includes data forms. + + Fixes: + - fdo#42462: Update wocky snapshot to fix gabble getting kicked + from D-Bus when non-character utf-8 is used by remote clients + - Fix the build when using GLib 2.32. + +------------------------------------------------------------------- +Wed Dec 21 13:12:57 UTC 2011 - [email protected] + +- Split telepathy-gabble-xmpp-console tool in a + telepathy-gabble-xmpp-console subpackage, since it's not really + of interest to most people, and has many dependencies that + telepathy-gabble doesn't have. + +------------------------------------------------------------------- +Fri Nov 25 09:43:26 UTC 2011 - [email protected] + +- Update to version 0.15.1: + + Enhancements: + - fdo#38568: Gabble now ships with an XMPP console interface + - fdo#32692, fdo#30296, fdo#41789: Gabble now implements the + freshly-undrafted Protocol.Interface.Addressing and the + still-unstable Connection.Interface.Addressing1, and uses + them to expose Facebook contacts' integer IDs. + - fdo#42446: Gabble can now be built on Android, using + Androgenizer. + + Fixes: + - capabilities.h and caps-channel-manager.h are no longer + erroneously omitted. + +------------------------------------------------------------------- +Wed Nov 16 18:31:07 UTC 2011 - [email protected] + +- Update to version 0.15.0: + + Enhancements: + - fdo#42288: the Chan.I.FileTransfer.Metadata interface has + been implemented. + - Updated Wocky: The SASL auth server test now builds with new + and old versions of libsasl2. + + Bug fixes: + - fdo#42706: fix a typo when indexing a pointer array by using + the wrong counter! + - fd.o#32050: fix a crasher when using OLPC activities. + + Wocky: + - fdo#41719: don't bail on hashing caps if there's no FORM_TYPE + - fdo#39057: Accept from="server.com" as stanzas coming from + server. + +------------------------------------------------------------------- +Tue Nov 15 09:58:07 UTC 2011 - [email protected] + +- Update to version 0.14.0: + + Enhancements: + - It's now possible to install Gabble's test suite. + - fdo#41417: when connected to Facebook, text channels now + produce 'accepted' delivery reports when the user sends a ++++ 1513 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.telepathy-gabble.1728.new/telepathy-gabble.changes New: ---- telepathy-gabble-0.17.1.tar.gz telepathy-gabble-cve-2013-1431.patch telepathy-gabble-cve-2013-1769.patch telepathy-gabble.changes telepathy-gabble.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ telepathy-gabble.spec ++++++ # # spec file for package telepathy-gabble # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: telepathy-gabble Version: 0.17.1 Release: 0 Summary: XMPP connection manager for Telepathy License: LGPL-2.1+ Group: Productivity/Networking/Instant Messenger Url: http://telepathy.freedesktop.org/wiki/ Source: http://telepathy.freedesktop.org/releases/telepathy-gabble/%{name}-%{version}.tar.gz # PATCH-FIX-UPSTREAM telepathy-gabble-cve-2013-1769.patch bnc#807449 [email protected] -- Fix remote DoS vulnerability CVE-2013-1769. Patch0: telepathy-gabble-cve-2013-1769.patch # PATCH-FIX-UPSTREAM telepathy-gabble-cve-2013-1431.patch bnc#822586 [email protected] -- Respect TLS-required flag on legacy Jabber servers. CVE-2013-1431. Patch1: telepathy-gabble-cve-2013-1431.patch BuildRequires: libgnutls-devel BuildRequires: libnice-devel >= 0.0.11 BuildRequires: libsoup-devel BuildRequires: libxslt-devel BuildRequires: python-xml BuildRequires: sqlite3-devel BuildRequires: telepathy-glib-devel >= 0.19.7 BuildRequires: pkgconfig(dbus-glib-1) BuildRequires: pkgconfig(glib-2.0) >= 2.30 Recommends: ca-certificates # doc subpackage removed during 12.2 development Provides: %{name}-doc = %{version} Obsoletes: %{name}-doc < %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Gabble is a Jabber/XMPP connection manager for the Telepathy framework, currently supporting single user chats, multi user chats and voice/video calls. Install this package to use Telepathy instant messaging clients with Jabber/XMPP servers, including Google Talk. %package xmpp-console Summary: XMPP connection manager for Telepathy -- XMPP Console Group: Productivity/Networking/Instant Messenger Requires: %{name} = %{version} Requires: python-gobject %description xmpp-console This utility is a XMPP console user interface, for telepathy-gabble. %prep %setup -q %patch0 -p1 %patch1 -p1 %build %configure \ --disable-static \ --docdir=%{_docdir}/%{name} \ --with-ca-certificates=%{_sysconfdir}/ssl/ca-bundle.pem make %{?_smp_mflags} %install %make_install find %{buildroot} -type f -name "*.la" -delete -print cp AUTHORS ChangeLog COPYING %{buildroot}%{_docdir}/%{name} %clean rm -rf %{buildroot} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files %defattr (-,root,root) %doc AUTHORS ChangeLog COPYING NEWS README %doc %{_docdir}/%{name}/*.html %dir %{_datadir}/telepathy %dir %{_datadir}/telepathy/managers %dir %{_libdir}/telepathy %dir %{_libdir}/telepathy/gabble-0 %dir %{_libdir}/telepathy/gabble-0/plugins %{_libexecdir}/telepathy-gabble %{_libdir}/telepathy/gabble-0/lib/ %{_libdir}/telepathy/gabble-0/plugins/libgateways.so %{_datadir}/dbus-1/services/org.freedesktop.Telepathy.ConnectionManager.gabble.service %{_datadir}/telepathy/managers/gabble.manager %{_mandir}/man8/telepathy-gabble.8%{?ext_man} %files xmpp-console %defattr (-,root,root) %{_bindir}/telepathy-gabble-xmpp-console %{_libdir}/telepathy/gabble-0/plugins/libconsole.so %changelog ++++++ telepathy-gabble-cve-2013-1431.patch ++++++ From: Simon McVittie <[email protected]> Date: Mon, 27 May 2013 13:16:22 +0100 Subject: [PATCH] security: respect tls-required flag on legacy Jabber servers It's checked elsewhere for XMPP 1.0 servers, which can either use "old SSL" or perform STARTTLS. Legacy Jabber can only use "old SSL", which is similar to https - connect to a separate port, typically 5223, and start speaking SSL - so if the connection was ever going to be encrypted, by this point it already would be. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65036 Reviewed-by: Sjoerd Simons <[email protected]> Origin: upstream, 0.16.6 --- wocky/wocky-connector.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/ext/wocky/wocky/wocky-connector.c b/lib/ext/wocky/wocky/wocky-connector.c index 133b9fd..3287285 100644 --- a/lib/ext/wocky/wocky/wocky-connector.c +++ b/lib/ext/wocky/wocky/wocky-connector.c @@ -1135,6 +1135,9 @@ xmpp_init_recv_cb (GObject *source, if (!priv->legacy_support) abort_connect_code (self, WOCKY_CONNECTOR_ERROR_NON_XMPP_V1_SERVER, "Server not XMPP 1.0 Compliant"); + else if (priv->tls_required && !priv->encrypted) + abort_connect_code (data, WOCKY_CONNECTOR_ERROR_TLS_UNAVAILABLE, + "TLS requested but server is not XMPP 1.0 compliant (try using \"old SSL\")"); else jabber_request_auth (self); } ++++++ telepathy-gabble-cve-2013-1769.patch ++++++ diff --git a/lib/ext/wocky/wocky/wocky-caps-hash.c b/lib/ext/wocky/wocky/wocky-caps-hash.c index 1c18293..01006a7 100644 --- a/lib/ext/wocky/wocky/wocky-caps-hash.c +++ b/lib/ext/wocky/wocky/wocky-caps-hash.c @@ -80,8 +80,17 @@ dataforms_cmp (gconstpointer a, else if (left_type != NULL && right_type == NULL) return 1; else /* left_type != NULL && right_type != NULL */ - return strcmp (g_value_get_string (left_type->default_value), - g_value_get_string (right_type->default_value)); + { + const gchar *left_value = NULL, *right_value = NULL; + + if (left_type->raw_value_contents != NULL) + left_value = left_type->raw_value_contents[0]; + + if (right_type->raw_value_contents != NULL) + right_value = right_type->raw_value_contents[0]; + + return g_strcmp0 (left_value, right_value); + } } static GPtrArray * @@ -190,16 +199,22 @@ wocky_caps_hash_compute_from_lists ( continue; } - form_name = g_value_get_string (field->default_value); - if (field->type != WOCKY_DATA_FORM_FIELD_TYPE_HIDDEN) { - DEBUG ("FORM_TYPE field of form '%s' is not hidden; " - "ignoring form and moving onto next one", - form_name); + DEBUG ("FORM_TYPE field is not hidden; " + "ignoring form and moving onto next one"); continue; } + if (field->raw_value_contents == NULL || + g_strv_length (field->raw_value_contents) != 1) + { + DEBUG ("FORM_TYPE field does not have exactly one value; failing"); + goto cleanup; + } + + form_name = field->raw_value_contents[0]; + if (g_hash_table_lookup (form_names, form_name) != NULL) { DEBUG ("error: there are multiple data forms with the " @@ -224,6 +239,14 @@ wocky_caps_hash_compute_from_lists ( field = l->data; + if (field->var == NULL) + { + DEBUG ("can't hash form '%s': it has an anonymous field", + form_name); + g_slist_free (fields); + goto cleanup; + } + if (!wocky_strdiff (field->var, "FORM_TYPE")) continue; diff --git a/lib/ext/wocky/wocky/wocky-data-form.c b/lib/ext/wocky/wocky/wocky-data-form.c index 8428016..c74c1ae 100644 --- a/lib/ext/wocky/wocky/wocky-data-form.c +++ b/lib/ext/wocky/wocky/wocky-data-form.c @@ -1050,7 +1050,7 @@ gint wocky_data_form_field_cmp (const WockyDataFormField *left, const WockyDataFormField *right) { - return strcmp (left->var, right->var); + return g_strcmp0 (left->var, right->var); } static void -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
