Control: tags 854740 + patch Control: tags 854740 + pending Dear maintainer,
I've prepared an NMU for slixmpp (versioned as 1.2.2-1.1) and uploaded it to unstable. Please find attached the debdiff. Regards, Markus
diff -Nru slixmpp-1.2.2/debian/changelog slixmpp-1.2.2/debian/changelog --- slixmpp-1.2.2/debian/changelog 2016-11-29 17:19:17.000000000 +0100 +++ slixmpp-1.2.2/debian/changelog 2017-02-26 20:31:13.000000000 +0100 @@ -1,3 +1,14 @@ +slixmpp (1.2.2-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2017-5591: + An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows + a remote attacker to impersonate any user, including contacts, in the + vulnerable application's display. This allows for various kinds of social + engineering attacks. (Closes: #854740) + + -- Markus Koschany <a...@debian.org> Sun, 26 Feb 2017 20:31:13 +0100 + slixmpp (1.2.2-1) unstable; urgency=medium * New upstream version: diff -Nru slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch --- slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch 1970-01-01 01:00:00.000000000 +0100 +++ slixmpp-1.2.2/debian/patches/CVE-2017-5591.patch 2017-02-26 20:31:13.000000000 +0100 @@ -0,0 +1,34 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 26 Feb 2017 20:28:43 +0100 +Subject: CVE-2017-5591 + +An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows a +remote attacker to impersonate any user, including contacts, in the vulnerable +application's display. This allows for various kinds of social engineering +attacks. + +Bug-Debian: https://bugs.debian.org/854740 +Origin: https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb471 +--- + slixmpp/plugins/xep_0280/carbons.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/slixmpp/plugins/xep_0280/carbons.py b/slixmpp/plugins/xep_0280/carbons.py +index 261238b..aa71f7f 100644 +--- a/slixmpp/plugins/xep_0280/carbons.py ++++ b/slixmpp/plugins/xep_0280/carbons.py +@@ -61,10 +61,12 @@ class XEP_0280(BasePlugin): + self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2') + + def _handle_carbon_received(self, msg): +- self.xmpp.event('carbon_received', msg) ++ if msg['from'].bare == self.xmpp.boundjid.bare: ++ self.xmpp.event('carbon_received', msg) + + def _handle_carbon_sent(self, msg): +- self.xmpp.event('carbon_sent', msg) ++ if msg['from'].bare == self.xmpp.boundjid.bare: ++ self.xmpp.event('carbon_sent', msg) + + def enable(self, ifrom=None, timeout=None, callback=None, + timeout_callback=None): diff -Nru slixmpp-1.2.2/debian/patches/series slixmpp-1.2.2/debian/patches/series --- slixmpp-1.2.2/debian/patches/series 2016-11-29 17:01:50.000000000 +0100 +++ slixmpp-1.2.2/debian/patches/series 2017-02-26 20:31:13.000000000 +0100 @@ -1 +1,2 @@ disable-incorrect-tests.patch +CVE-2017-5591.patch
