Bug#859382: unblock: sleekxmpp/1.3.1-6

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#859382: unblock: sleekxmpp/1.3.1-6
From: "W. Martin Borgert" <debacle@debian.org>
Date: Mon, 3 Apr 2017 03:31:56 +0200
Message-id: <[🔎] 20170403013156.cbf73bcxoascdayl@fama>
Reply-to: "W. Martin Borgert" <debacle@debian.org>, 859382@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package sleekxmpp

Two bug fixes from upstream 1.3.2 have been taken to patch 1.3.1
against bugs #854739 (CVE-2017-5591, grave) and #851900 (Fails
to connect to servers that only support TLS 1.1 or TLS 1.2,
important).

diff -Nru sleekxmpp-1.3.1/debian/changelog sleekxmpp-1.3.1/debian/changelog
--- sleekxmpp-1.3.1/debian/changelog	2016-12-25 22:28:41.000000000 +0100
+++ sleekxmpp-1.3.1/debian/changelog	2017-04-03 02:04:06.000000000 +0200
@@ -1,3 +1,16 @@
+sleekxmpp (1.3.1-6) unstable; urgency=medium
+
+  * Fix CVE-2017-5591:
+    An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows
+    a remote attacker to impersonate any user, including contacts, in the
+    vulnerable application's display. This allows for various kinds of social
+    engineering attacks. (Closes: #854739)
+  * Use ssl.get_protocol_name() to find out which TLS version is
+    in use (allows the latest TLS versions to be used as well as any future
+    versions). (Closes: #851900)
+
+ -- W. Martin Borgert <debacle@debian.org>  Mon, 03 Apr 2017 00:04:06 +0000
+
 sleekxmpp (1.3.1-5) unstable; urgency=medium
 
   * use debhelper 9 compat
diff -Nru sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch
--- sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch	1970-01-01 01:00:00.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch	2017-04-03 02:04:06.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Use ssl.get_protocol_name() to find out which TLS version is
+ in use (allows the latest TLS versions to be used as well as any future
+ versions).
+Author: Chris Snijder <chris@greenhost.nl>
+Origin: upstream, https://github.com/fritzy/SleekXMPP/commit/6ebcf6b60d879e31e41bac58ba7db6ea760579b9
+Bug-Debian: https://bugs.debian.org/851900
+Last-Update: 2017-04-02
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/xmlstream/xmlstream.py
++++ b/sleekxmpp/xmlstream/xmlstream.py
+@@ -839,8 +839,10 @@ def start_tls(self):
+         to be restarted.
+         """
+         log.info("Negotiating TLS")
+-        ssl_versions = {3: 'TLS 1.0', 1: 'SSL 3', 2: 'SSL 2/3'}
+-        log.info("Using SSL version: %s", ssl_versions[self.ssl_version])
++        log.info(
++            "Using SSL version: %s",
++            ssl.get_protocol_name(self.ssl_version).replace('PROTOCOL_', '', 1)
++        )
+         if self.ca_certs is None:
+             cert_policy = ssl.CERT_NONE
+         else:
diff -Nru sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch
--- sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch	1970-01-01 01:00:00.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch	2017-04-03 02:04:06.000000000 +0200
@@ -0,0 +1,29 @@
+Description: fix for CVE-2017-5591
+ An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows a
+ remote attacker to impersonate any user, including contacts, in the vulnerable
+ application's display. This allows for various kinds of social engineering
+ attacks.
+Author: mathieui <github@mathieui.net>
+Origin: other, https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb471
+Bug: https://github.com/fritzy/SleekXMPP/issues/442
+Bug-Debian: https://bugs.debian.org/854739
+Last-Update: 2017-03-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/plugins/xep_0280/carbons.py
++++ b/sleekxmpp/plugins/xep_0280/carbons.py
+@@ -61,10 +61,12 @@
+         self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2')
+ 
+     def _handle_carbon_received(self, msg):
+-        self.xmpp.event('carbon_received', msg)
++        if msg['from'].bare == self.xmpp.boundjid.bare:
++            self.xmpp.event('carbon_received', msg)
+ 
+     def _handle_carbon_sent(self, msg):
+-        self.xmpp.event('carbon_sent', msg)
++        if msg['from'].bare == self.xmpp.boundjid.bare:
++            self.xmpp.event('carbon_sent', msg)
+ 
+     def enable(self, ifrom=None, block=True, timeout=None, callback=None):
+         iq = self.xmpp.Iq()
diff -Nru sleekxmpp-1.3.1/debian/patches/series sleekxmpp-1.3.1/debian/patches/series
--- sleekxmpp-1.3.1/debian/patches/series	2015-12-29 22:44:03.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/series	2017-04-03 02:04:06.000000000 +0200
@@ -1 +1,3 @@
+CVE-2017-5591.patch
 0001-get-rid-of-embedded-copies-dateutil-gnupg-ordereddic.patch
+002-fix_tls_version_check.patch

unblock sleekxmpp/1.3.1-6

Reply to:

Follow-Ups:
- Bug#859382: marked as done (unblock: sleekxmpp/1.3.1-6)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#859378: unblock: screen/4.5.0-5 (pre-approval)
Next by Date: Bug#859393: unblock: grass/7.2.0-2
Previous by thread: Bug#859378: marked as done (unblock: screen/4.5.0-5 (pre-approval))
Next by thread: Bug#859382: marked as done (unblock: sleekxmpp/1.3.1-6)
Index(es):
- Date
- Thread