[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863450: unblock: gajim/0.16.6-1.1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gajim

Added an upstream commit/patch to solve security problem #863445.


diff -Nru gajim-0.16.6/debian/changelog gajim-0.16.6/debian/changelog
--- gajim-0.16.6/debian/changelog	2016-10-08 12:10:31.000000000 +0200
+++ gajim-0.16.6/debian/changelog	2017-05-27 00:35:49.000000000 +0200
@@ -1,3 +1,10 @@
+gajim (0.16.6-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Apply upstream patch to make XEP-0146 opt-in (Closes: #863445)
+
+ -- W. Martin Borgert <debacle@debian.org>  Fri, 26 May 2017 22:35:49 +0000
+
 gajim (0.16.6-1) unstable; urgency=low
 
   * New upstream release (closes: #839780)
diff -Nru gajim-0.16.6/debian/patches/fix-xep-0146-opt-in gajim-0.16.6/debian/patches/fix-xep-0146-opt-in
--- gajim-0.16.6/debian/patches/fix-xep-0146-opt-in	1970-01-01 01:00:00.000000000 +0100
+++ gajim-0.16.6/debian/patches/fix-xep-0146-opt-in	2017-05-27 00:35:49.000000000 +0200
@@ -0,0 +1,35 @@
+Description: Add config option to activate XEP-0146 commands
+ Some of the Commands have security implications, thats why we disable them per default
+Author: Philipp Hörist
+Origin: upstream, https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
+Bug: https://dev.gajim.org/gajim/gajim/issues/8378
+Bug-Debian: https://bugs.debian.org/863445
+Last-Update: 2017-05-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/common/commands.py
++++ b/src/common/commands.py
+@@ -345,9 +345,10 @@
+     def __init__(self):
+         # a list of all commands exposed: node -> command class
+         self.__commands = {}
+-        for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand,
+-        LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand):
+-            self.__commands[cmdobj.commandnode] = cmdobj
++        if gajim.config.get('remote_commands'):
++            for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand,
++            LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand):
++                self.__commands[cmdobj.commandnode] = cmdobj
+ 
+         # a list of sessions; keys are tuples (jid, sessionid, node)
+         self.__sessions = {}
+--- a/src/common/config.py
++++ b/src/common/config.py
+@@ -313,6 +313,7 @@
+             'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim will ignore incoming attention requestd ("wizz").')],
+             'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, Gajim will reopen chat windows that were opened last time Gajim was closed.')],
+             'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will show an icon to show that sent message has been received by your contact')],
++            'remote_commands': [opt_bool, False, _('If True, Gajim will execute XEP-0146 Commands. Dangerous!')],
+     }, {})
+ 
+     __options_per_key = {
diff -Nru gajim-0.16.6/debian/patches/series gajim-0.16.6/debian/patches/series
--- gajim-0.16.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ gajim-0.16.6/debian/patches/series	2017-05-27 00:35:49.000000000 +0200
@@ -0,0 +1 @@
+fix-xep-0146-opt-in


unblock gajim/0.16.6-1.1
Reply to: