diff options
author | Marius Bakke <mbakke@fastmail.com> | 2017-05-28 13:07:05 +0200 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2017-05-28 13:18:24 +0200 |
commit | 3803b069f6425d2ef586e62cdffe339ef55178ec (patch) | |
tree | e76f5f68efab7d789d253e7b582835fd2c4f4863 | |
parent | ca40d4e7c5dd61d4451cebd0eb910bc705bcc06e (diff) | |
download | guix-3803b069f6425d2ef586e62cdffe339ef55178ec.tar guix-3803b069f6425d2ef586e62cdffe339ef55178ec.tar.gz |
gnu: gajim: Fix CVE-2016-10376.
* gnu/packages/patches/gajim-CVE-2016-10376.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/messaging.scm (gajim)[source]: Use it.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/messaging.scm | 2 | ||||
-rw-r--r-- | gnu/packages/patches/gajim-CVE-2016-10376.patch | 57 |
3 files changed, 60 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 80b0d495aa..eb12b62f83 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -598,6 +598,7 @@ dist_patch_DATA = \ %D%/packages/patches/freetype-CVE-2017-8105.patch \ %D%/packages/patches/freetype-CVE-2017-8287.patch \ %D%/packages/patches/fuse-overlapping-headers.patch \ + %D%/packages/patches/gajim-CVE-2016-10376.patch \ %D%/packages/patches/gawk-shell.patch \ %D%/packages/patches/gcc-arm-bug-71399.patch \ %D%/packages/patches/gcc-arm-link-spec-fix.patch \ diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm index c22d3d4dc8..425a7c4c23 100644 --- a/gnu/packages/messaging.scm +++ b/gnu/packages/messaging.scm @@ -490,6 +490,8 @@ was initially a fork of xmpppy, but uses non-blocking sockets.") (uri (string-append "https://gajim.org/downloads/" (version-major+minor version) "/gajim-" version ".tar.bz2")) + (patches + (search-patches "gajim-CVE-2016-10376.patch")) (sha256 (base32 "13sxz0hpvyj2yvcbsfqq9yn0hp1d1zsxsj40r0v16jlibha5da9n")))) diff --git a/gnu/packages/patches/gajim-CVE-2016-10376.patch b/gnu/packages/patches/gajim-CVE-2016-10376.patch new file mode 100644 index 0000000000..591dd1af21 --- /dev/null +++ b/gnu/packages/patches/gajim-CVE-2016-10376.patch @@ -0,0 +1,57 @@ +Fix CVE-2016-10376. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376 +http://seclists.org/oss-sec/2017/q2/341 +https://dev.gajim.org/gajim/gajim/issues/8378 + +Patch copied from upstream source repository: + +https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc + +(adapted for context in config.py) + +From cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc Mon Sep 17 00:00:00 2001 +From: Philipp Hörist <forenjunkie@chello.at> +Date: Fri, 26 May 2017 23:10:05 +0200 +Subject: [PATCH] Add config option to activate XEP-0146 commands + +Some of the Commands have security implications, thats why we disable them per default +Fixes #8378 +--- + src/common/commands.py | 7 ++++--- + src/common/config.py | 1 + + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/common/commands.py b/src/common/commands.py +index 19d8c13..0eeb57c 100644 +--- a/src/common/commands.py ++++ b/src/common/commands.py +@@ -345,9 +345,10 @@ class ConnectionCommands: + def __init__(self): + # a list of all commands exposed: node -> command class + self.__commands = {} +- for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, +- LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): +- self.__commands[cmdobj.commandnode] = cmdobj ++ if gajim.config.get('remote_commands'): ++ for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, ++ LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): ++ self.__commands[cmdobj.commandnode] = cmdobj + + # a list of sessions; keys are tuples (jid, sessionid, node) + self.__sessions = {} +diff --git a/src/common/config.py b/src/common/config.py +index cde1f81..fe25455 100644 +--- a/src/common/config.py ++++ b/src/common/config.py +@@ -314,6 +314,7 @@ class Config: + 'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim will ignore incoming attention requestd ("wizz").')], + 'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, Gajim will reopen chat windows that were opened last time Gajim was closed.')], + 'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will show an icon to show that sent message has been received by your contact')], ++ 'remote_commands': [opt_bool, False, _('If True, Gajim will execute XEP-0146 Commands.')], + }, {}) + + __options_per_key = { +-- +libgit2 0.24.0 + |