Bug#989592: unblock: dino-im/0.2.0-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package dino-im.
0.2.0-3 fixes CVE-2021-33896 and another related bug.
Both fixes are in upstream version 0.2.1, but applied as patches here.
debdiff is attached.
unblock dino-im/0.2.0-3
diff -Nru dino-im-0.2.0/debian/changelog dino-im-0.2.0/debian/changelog
--- dino-im-0.2.0/debian/changelog 2021-03-22 22:38:23.000000000 +0000
+++ dino-im-0.2.0/debian/changelog 2021-06-07 17:43:27.000000000 +0000
@@ -1,3 +1,11 @@
+dino-im (0.2.0-3) unstable; urgency=critical
+
+ * Fix file traversal issue on incoming file transfers (CVE-2021-33896)
+ * Don't remove characters after '#' in filename
+ Thanks to fiaxh (Dino upstream) for both patches!
+
+ -- Martin <debacle@debian.org> Mon, 07 Jun 2021 17:43:27 +0000
+
dino-im (0.2.0-2) unstable; urgency=medium
* Add upstream patch to adjust Real for latest vala version
diff -Nru dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch
--- dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch 1970-01-01 00:00:00.000000000 +0000
+++ dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch 2021-06-07 17:39:41.000000000 +0000
@@ -0,0 +1,22 @@
+Description: Don't remove characters after '#' in filename
+Author:fiaxh <git@lightrise.org>
+Origin: upstream
+Applied-Upstream: ce292d03e37f146853417855986bf5541b50d2ae
+Last-Update: 2021-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/plugins/http-files/src/file_provider.vala
++++ b/plugins/http-files/src/file_provider.vala
+@@ -142,10 +142,11 @@
+ }
+
+ private string extract_file_name_from_url(string url) {
+- string ret = Uri.unescape_string(url.substring(url.last_index_of("/") + 1));
++ string ret = url;
+ if (ret.contains("#")) {
+ ret = ret.substring(0, ret.last_index_of("#"));
+ }
++ ret = Uri.unescape_string(ret.substring(ret.last_index_of("/") + 1));
+ return ret;
+ }
+
diff -Nru dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch
--- dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch 1970-01-01 00:00:00.000000000 +0000
+++ dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch 2021-06-07 17:31:09.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix file traversal issue on incoming file transfers
+Author: fiaxh <git@lightrise.org>
+Origin: upstream
+Bug: https://dino.im/security/cve-2021-33896/
+Applied-Upstream: 0c8d25b7a3e7a10a506f1e19b868fe9b0c761495
+Last-Update: 2021-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libdino/src/entity/file_transfer.vala
++++ b/libdino/src/entity/file_transfer.vala
+@@ -45,7 +45,18 @@
+ }
+ }
+
+- public string file_name { get; set; }
++ private string file_name_;
++ public string file_name {
++ get { return file_name_; }
++ set {
++ file_name_ = Path.get_basename(value);
++ if (file_name_ == Path.DIR_SEPARATOR_S || file_name_ == ".") {
++ file_name_ = "unknown filename";
++ } else if (file_name_.has_prefix(".")) {
++ file_name_ = "_" + file_name_;
++ }
++ }
++ }
+ private string? server_file_name_ = null;
+ public string server_file_name {
+ get { return server_file_name_ ?? file_name; }
diff -Nru dino-im-0.2.0/debian/patches/series dino-im-0.2.0/debian/patches/series
--- dino-im-0.2.0/debian/patches/series 2021-03-22 22:38:23.000000000 +0000
+++ dino-im-0.2.0/debian/patches/series 2021-06-07 17:35:09.000000000 +0000
@@ -1,3 +1,5 @@
+dont-remove-characters-after-numbersign-in-filename.patch
+fix-file-traversal-issue-on-incoming-file-transfers.patch
adjust-real-for-latest-vala.patch
rename-to-dino-im.patch
fix_library_path.patch
Reply to: