Bug#854735: profanity: diff for NMU version 0.4.7-1.1

Sun, 26 Feb 2017 05:24:31 -0800 

Package: profanity
Version: 0.4.7-1
Severity: normal
Tags: patch pending

Dear maintainer and release team,

I've prepared an NMU for profanity (versioned as 0.4.7-1.1).
As a newer version is already in unstable, this targets
"testing-proposed-updates".

Regards,
Tomasz
diff -Nru profanity-0.4.7/debian/changelog profanity-0.4.7/debian/changelog
--- profanity-0.4.7/debian/changelog	2015-09-26 16:47:33.000000000 +0200
+++ profanity-0.4.7/debian/changelog	2017-02-25 18:29:37.000000000 +0100
@@ -1,3 +1,10 @@
+profanity (0.4.7-1.1) testing-proposed-updates; urgency=medium
+
+  * Non-maintainer upload
+  * Fix CVE-2017-5592
+
+ -- Tomasz Buchert <tom...@debian.org>  Sat, 25 Feb 2017 18:29:37 +0100
+
 profanity (0.4.7-1) unstable; urgency=medium
 
   * Imported Upstream version 0.4.7
@@ -43,4 +50,3 @@
   * Initial release (Closes: #745872)
 
  -- Dariusz Dwornikowski <dariusz.dwornikow...@cs.put.poznan.pl>  Wed, 27 Aug 2014 12:34:59 +0200
-
diff -Nru profanity-0.4.7/debian/patches/0002-Import-the-patch-fixing-CVE-2017-5592.patch profanity-0.4.7/debian/patches/0002-Import-the-patch-fixing-CVE-2017-5592.patch
--- profanity-0.4.7/debian/patches/0002-Import-the-patch-fixing-CVE-2017-5592.patch	1970-01-01 01:00:00.000000000 +0100
+++ profanity-0.4.7/debian/patches/0002-Import-the-patch-fixing-CVE-2017-5592.patch	2017-02-25 18:29:37.000000000 +0100
@@ -0,0 +1,41 @@
+From: Tomasz Buchert <tom...@buchert.pl>
+Date: Sat, 25 Feb 2017 17:01:33 +0100
+Subject: Import the patch fixing CVE-2017-5592.
+
+The patch was provided by the upstream author.
+---
+ src/xmpp/message.c                   | 7 +++++++
+ tests/functionaltests/test_carbons.c | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/xmpp/message.c b/src/xmpp/message.c
+index 5581521..f6bb864 100644
+--- a/src/xmpp/message.c
++++ b/src/xmpp/message.c
+@@ -687,6 +687,13 @@ _handle_carbons(xmpp_stanza_t * const stanza)
+         return FALSE;
+     }
+ 
++    Jid *my_jid = jid_create(jabber_get_fulljid());
++    const char *const stanza_from = xmpp_stanza_get_attribute(stanza, STANZA_ATTR_FROM);
++    if (g_strcmp0(my_jid->barejid, stanza_from) != 0) {
++        log_warning("Invalid carbon received, from: %s", stanza_from);
++        return TRUE;
++    }
++
+     char *name = xmpp_stanza_get_name(carbons);
+     if ((g_strcmp0(name, "received") == 0) || (g_strcmp0(name, "sent")) == 0) {
+         xmpp_stanza_t *forwarded = xmpp_stanza_get_child_by_ns(carbons, STANZA_NS_FORWARD);
+diff --git a/tests/functionaltests/test_carbons.c b/tests/functionaltests/test_carbons.c
+index 96639d6..3bbe65d 100644
+--- a/tests/functionaltests/test_carbons.c
++++ b/tests/functionaltests/test_carbons.c
+@@ -70,7 +70,7 @@ receive_carbon(void **state)
+     prof_output_exact("unencrypted");
+ 
+     stbbr_send(
+-        "<message type=\"chat\" to=\"stabber@localhost/profanity\" from=\"buddy1@localhost\">"
++        "<message type=\"chat\" to=\"stabber@localhost/profanity\" from=\"stabber@localhost\">"
+             "<received xmlns=\"urn:xmpp:carbons:2\">"
+                 "<forwarded xmlns=\"urn:xmpp:forward:0\">"
+                     "<message id=\"prof_msg_7\" xmlns=\"jabber:client\" type=\"chat\" lang=\"en\" to=\"stabber@localhost/profanity\" from=\"buddy1@localhost/mobile\">"
diff -Nru profanity-0.4.7/debian/patches/fix_spelling_error profanity-0.4.7/debian/patches/fix_spelling_error
--- profanity-0.4.7/debian/patches/fix_spelling_error	2015-09-26 16:47:33.000000000 +0200
+++ profanity-0.4.7/debian/patches/fix_spelling_error	2017-02-25 18:29:37.000000000 +0100
@@ -1,10 +1,16 @@
-Author: Dariusz Dwornikowski <dariusz.dwornikow...@cs.put.poznan.pl> 
+From: Dariusz Dwornikowski <dariusz.dwornikow...@cs.put.poznan.pl>
+Date: Sat, 25 Feb 2017 17:03:17 +0100
 Subject: Fix spelling errors
-Last-Update: 2015-09-25
-Forwarded: not-needed
+
+---
+ src/xmpp/iq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/xmpp/iq.c b/src/xmpp/iq.c
+index 496e9ca..6466eb5 100644
 --- a/src/xmpp/iq.c
 +++ b/src/xmpp/iq.c
-@@ -861,13 +861,13 @@
+@@ -861,13 +861,13 @@ _version_result_handler(xmpp_conn_t * const conn, xmpp_stanza_t * const stanza,
  
      xmpp_stanza_t *query = xmpp_stanza_get_child_by_name(stanza, STANZA_NAME_QUERY);
      if (query == NULL) {
diff -Nru profanity-0.4.7/debian/patches/series profanity-0.4.7/debian/patches/series
--- profanity-0.4.7/debian/patches/series	2015-09-26 16:47:33.000000000 +0200
+++ profanity-0.4.7/debian/patches/series	2017-02-25 18:29:37.000000000 +0100
@@ -1 +1,2 @@
 fix_spelling_error
+0002-Import-the-patch-fixing-CVE-2017-5592.patch

Reply via email to