Bug#859382: marked as done (unblock: sleekxmpp/1.3.1-6)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#859382: marked as done (unblock: sleekxmpp/1.3.1-6)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 03 Apr 2017 11:48:04 +0000
Message-id: <[🔎] handler.859382.D859382.14912198769466.ackdone@bugs.debian.org>
References: <429ab219-a31c-4e9c-6165-076c0269c954@thykier.net> <[🔎] 20170403013156.cbf73bcxoascdayl@fama>

Your message dated Mon, 03 Apr 2017 11:43:00 +0000
with message-id <429ab219-a31c-4e9c-6165-076c0269c954@thykier.net>
and subject line Re: Bug#859382: unblock: sleekxmpp/1.3.1-6
has caused the Debian Bug report #859382,
regarding unblock: sleekxmpp/1.3.1-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859382: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859382
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: sleekxmpp/1.3.1-6
From: "W. Martin Borgert" <debacle@debian.org>
Date: Mon, 3 Apr 2017 03:31:56 +0200
Message-id: <[🔎] 20170403013156.cbf73bcxoascdayl@fama>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package sleekxmpp

Two bug fixes from upstream 1.3.2 have been taken to patch 1.3.1
against bugs #854739 (CVE-2017-5591, grave) and #851900 (Fails
to connect to servers that only support TLS 1.1 or TLS 1.2,
important).

diff -Nru sleekxmpp-1.3.1/debian/changelog sleekxmpp-1.3.1/debian/changelog
--- sleekxmpp-1.3.1/debian/changelog	2016-12-25 22:28:41.000000000 +0100
+++ sleekxmpp-1.3.1/debian/changelog	2017-04-03 02:04:06.000000000 +0200
@@ -1,3 +1,16 @@
+sleekxmpp (1.3.1-6) unstable; urgency=medium
+
+  * Fix CVE-2017-5591:
+    An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows
+    a remote attacker to impersonate any user, including contacts, in the
+    vulnerable application's display. This allows for various kinds of social
+    engineering attacks. (Closes: #854739)
+  * Use ssl.get_protocol_name() to find out which TLS version is
+    in use (allows the latest TLS versions to be used as well as any future
+    versions). (Closes: #851900)
+
+ -- W. Martin Borgert <debacle@debian.org>  Mon, 03 Apr 2017 00:04:06 +0000
+
 sleekxmpp (1.3.1-5) unstable; urgency=medium
 
   * use debhelper 9 compat
diff -Nru sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch
--- sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch	1970-01-01 01:00:00.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/002-fix_tls_version_check.patch	2017-04-03 02:04:06.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Use ssl.get_protocol_name() to find out which TLS version is
+ in use (allows the latest TLS versions to be used as well as any future
+ versions).
+Author: Chris Snijder <chris@greenhost.nl>
+Origin: upstream, https://github.com/fritzy/SleekXMPP/commit/6ebcf6b60d879e31e41bac58ba7db6ea760579b9
+Bug-Debian: https://bugs.debian.org/851900
+Last-Update: 2017-04-02
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/xmlstream/xmlstream.py
++++ b/sleekxmpp/xmlstream/xmlstream.py
+@@ -839,8 +839,10 @@ def start_tls(self):
+         to be restarted.
+         """
+         log.info("Negotiating TLS")
+-        ssl_versions = {3: 'TLS 1.0', 1: 'SSL 3', 2: 'SSL 2/3'}
+-        log.info("Using SSL version: %s", ssl_versions[self.ssl_version])
++        log.info(
++            "Using SSL version: %s",
++            ssl.get_protocol_name(self.ssl_version).replace('PROTOCOL_', '', 1)
++        )
+         if self.ca_certs is None:
+             cert_policy = ssl.CERT_NONE
+         else:
diff -Nru sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch
--- sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch	1970-01-01 01:00:00.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/CVE-2017-5591.patch	2017-04-03 02:04:06.000000000 +0200
@@ -0,0 +1,29 @@
+Description: fix for CVE-2017-5591
+ An incorrect implementation of XEP-0280: Message Carbons in slixmpp allows a
+ remote attacker to impersonate any user, including contacts, in the vulnerable
+ application's display. This allows for various kinds of social engineering
+ attacks.
+Author: mathieui <github@mathieui.net>
+Origin: other, https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb471
+Bug: https://github.com/fritzy/SleekXMPP/issues/442
+Bug-Debian: https://bugs.debian.org/854739
+Last-Update: 2017-03-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sleekxmpp/plugins/xep_0280/carbons.py
++++ b/sleekxmpp/plugins/xep_0280/carbons.py
+@@ -61,10 +61,12 @@
+         self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2')
+ 
+     def _handle_carbon_received(self, msg):
+-        self.xmpp.event('carbon_received', msg)
++        if msg['from'].bare == self.xmpp.boundjid.bare:
++            self.xmpp.event('carbon_received', msg)
+ 
+     def _handle_carbon_sent(self, msg):
+-        self.xmpp.event('carbon_sent', msg)
++        if msg['from'].bare == self.xmpp.boundjid.bare:
++            self.xmpp.event('carbon_sent', msg)
+ 
+     def enable(self, ifrom=None, block=True, timeout=None, callback=None):
+         iq = self.xmpp.Iq()
diff -Nru sleekxmpp-1.3.1/debian/patches/series sleekxmpp-1.3.1/debian/patches/series
--- sleekxmpp-1.3.1/debian/patches/series	2015-12-29 22:44:03.000000000 +0100
+++ sleekxmpp-1.3.1/debian/patches/series	2017-04-03 02:04:06.000000000 +0200
@@ -1 +1,3 @@
+CVE-2017-5591.patch
 0001-get-rid-of-embedded-copies-dateutil-gnupg-ordereddic.patch
+002-fix_tls_version_check.patch

unblock sleekxmpp/1.3.1-6

--- End Message ---

--- Begin Message ---

To: "W. Martin Borgert" <debacle@debian.org>, 859382-done@bugs.debian.org

Subject: Re: Bug#859382: unblock: sleekxmpp/1.3.1-6

From: Niels Thykier <niels@thykier.net>

Date: Mon, 03 Apr 2017 11:43:00 +0000

Message-id: <429ab219-a31c-4e9c-6165-076c0269c954@thykier.net>

In-reply-to: <[🔎] 20170403013156.cbf73bcxoascdayl@fama>

References: <[🔎] 20170403013156.cbf73bcxoascdayl@fama>
W. Martin Borgert:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package sleekxmpp
> 
> Two bug fixes from upstream 1.3.2 have been taken to patch 1.3.1
> against bugs #854739 (CVE-2017-5591, grave) and #851900 (Fails
> to connect to servers that only support TLS 1.1 or TLS 1.2,
> important).
> 
> [...]
> 
> unblock sleekxmpp/1.3.1-6
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#859382: unblock: sleekxmpp/1.3.1-6
  - From: "W. Martin Borgert" <debacle@debian.org>

Prev by Date: Re: [d-i/stretch] Status on Installation guide and Release notes (from a d-i PoV)
Next by Date: Re: [d-i/stretch] Status on Installation guide and Release notes (from a d-i PoV)
Previous by thread: Bug#859382: unblock: sleekxmpp/1.3.1-6
Next by thread: Bug#859393: unblock: grass/7.2.0-2
Index(es):
- Date
- Thread