[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

gajim 0.13.4-3+squeeze4 for testing


I have packaged version of gajim 0.13.4-3+squeeze4 destined for
squeeze-LTS, with a fix for CVE-2015-8688.patch.

The upstream patch comes in two parts:

I backported the first part, and ignored the second part as the second
part does not appear to be relevant to the security issue, and is not so
easily backported. The first part fixes the security issue. The second
part appears to reject incoming roster set events that have multiple
JIDs (if I am reading this code correctly).

The version for testing is available here:


The security patch I applied is:

--- a/src/common/connection_handlers.py
+++ b/src/common/connection_handlers.py
@@ -1600,6 +1600,10 @@
        def _rosterSetCB(self, con, iq_obj):
+               frm = helpers.get_jid_from_iq(self.stanza)
+               our_jid = gajim.get_jid_from_account(self.conn.name)
+               if frm and frm != our_jid and frm != gajim.get_server_from_jid(our_jid):
+                       return
                version = iq_obj.getTagAttr('query', 'ver')
                for item in iq_obj.getTag('query').getChildren():

Does this look ok to upload to squeeze-lts?
Brian May <brian@linuxpenguins.xyz>

Reply to: