01/01: gnu: gajim: Fix CVE-2016-10376.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: gajim: Fix CVE-2016-10376.

From:	Marius Bakke
Subject:	01/01: gnu: gajim: Fix CVE-2016-10376.
Date:	Sun, 28 May 2017 07:19:21 -0400 (EDT)

mbakke pushed a commit to branch master
in repository guix.

commit 3803b069f6425d2ef586e62cdffe339ef55178ec
Author: Marius Bakke <address@hidden>
Date:   Sun May 28 13:07:05 2017 +0200

    gnu: gajim: Fix CVE-2016-10376.
    
    * gnu/packages/patches/gajim-CVE-2016-10376.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/messaging.scm (gajim)[source]: Use it.
---
 gnu/local.mk                                    |  1 +
 gnu/packages/messaging.scm                      |  2 +
 gnu/packages/patches/gajim-CVE-2016-10376.patch | 57 +++++++++++++++++++++++++
 3 files changed, 60 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index 80b0d49..eb12b62 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -598,6 +598,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/freetype-CVE-2017-8105.patch            \
   %D%/packages/patches/freetype-CVE-2017-8287.patch            \
   %D%/packages/patches/fuse-overlapping-headers.patch                          
\
+  %D%/packages/patches/gajim-CVE-2016-10376.patch              \
   %D%/packages/patches/gawk-shell.patch                                \
   %D%/packages/patches/gcc-arm-bug-71399.patch                 \
   %D%/packages/patches/gcc-arm-link-spec-fix.patch             \
diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm
index c22d3d4..425a7c4 100644
--- a/gnu/packages/messaging.scm
+++ b/gnu/packages/messaging.scm
@@ -490,6 +490,8 @@ was initially a fork of xmpppy, but uses non-blocking 
sockets.")
               (uri (string-append "https://gajim.org/downloads/";
                                   (version-major+minor version)
                                   "/gajim-" version ".tar.bz2"))
+              (patches
+               (search-patches "gajim-CVE-2016-10376.patch"))
               (sha256
                (base32
                 "13sxz0hpvyj2yvcbsfqq9yn0hp1d1zsxsj40r0v16jlibha5da9n"))))
diff --git a/gnu/packages/patches/gajim-CVE-2016-10376.patch 
b/gnu/packages/patches/gajim-CVE-2016-10376.patch
new file mode 100644
index 0000000..591dd1a
--- /dev/null
+++ b/gnu/packages/patches/gajim-CVE-2016-10376.patch
@@ -0,0 +1,57 @@
+Fix CVE-2016-10376.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376
+http://seclists.org/oss-sec/2017/q2/341
+https://dev.gajim.org/gajim/gajim/issues/8378
+
+Patch copied from upstream source repository:
+
+https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
+
+(adapted for context in config.py)
+
+From cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc Mon Sep 17 00:00:00 2001
+From: Philipp Hörist <address@hidden>
+Date: Fri, 26 May 2017 23:10:05 +0200
+Subject: [PATCH] Add config option to activate XEP-0146 commands
+
+Some of the Commands have security implications, thats why we disable them per 
default
+Fixes #8378
+---
+ src/common/commands.py | 7 ++++---
+ src/common/config.py   | 1 +
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/common/commands.py b/src/common/commands.py
+index 19d8c13..0eeb57c 100644
+--- a/src/common/commands.py
++++ b/src/common/commands.py
+@@ -345,9 +345,10 @@ class ConnectionCommands:
+     def __init__(self):
+         # a list of all commands exposed: node -> command class
+         self.__commands = {}
+-        for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand,
+-        LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand):
+-            self.__commands[cmdobj.commandnode] = cmdobj
++        if gajim.config.get('remote_commands'):
++            for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand,
++            LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand):
++                self.__commands[cmdobj.commandnode] = cmdobj
+ 
+         # a list of sessions; keys are tuples (jid, sessionid, node)
+         self.__sessions = {}
+diff --git a/src/common/config.py b/src/common/config.py
+index cde1f81..fe25455 100644
+--- a/src/common/config.py
++++ b/src/common/config.py
+@@ -314,6 +314,7 @@ class Config:
+             'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim 
will ignore incoming attention requestd ("wizz").')],
+             'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, 
Gajim will reopen chat windows that were opened last time Gajim was closed.')],
+             'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will 
show an icon to show that sent message has been received by your contact')],
++            'remote_commands': [opt_bool, False, _('If True, Gajim will 
execute XEP-0146 Commands.')],
+     }, {})
+ 
+     __options_per_key = {
+--
+libgit2 0.24.0
+

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (ca40d4e -> 3803b06), Marius Bakke, 2017/05/28
- 01/01: gnu: gajim: Fix CVE-2016-10376., Marius Bakke <=

Prev by Date: branch master updated (ca40d4e -> 3803b06)
Next by Date: branch core-updates updated (77e2538 -> 2dca204)
Previous by thread: branch master updated (ca40d4e -> 3803b06)
Next by thread: branch core-updates updated (77e2538 -> 2dca204)
Index(es):
- Date
- Thread