[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989592: marked as done (unblock: dino-im/0.2.0-3)

Your message dated Tue, 08 Jun 2021 21:23:24 +0000
with message-id <E1lqjC0-0000R8-Pn@respighi.debian.org>
and subject line unblock dino-im
has caused the Debian Bug report #989592,
regarding unblock: dino-im/0.2.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989592
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package dino-im.

0.2.0-3 fixes CVE-2021-33896 and another related bug.

Both fixes are in upstream version 0.2.1, but applied as patches here.

debdiff is attached.

unblock dino-im/0.2.0-3

diff -Nru dino-im-0.2.0/debian/changelog dino-im-0.2.0/debian/changelog
--- dino-im-0.2.0/debian/changelog	2021-03-22 22:38:23.000000000 +0000
+++ dino-im-0.2.0/debian/changelog	2021-06-07 17:43:27.000000000 +0000
@@ -1,3 +1,11 @@
+dino-im (0.2.0-3) unstable; urgency=critical
+
+  * Fix file traversal issue on incoming file transfers (CVE-2021-33896)
+  * Don't remove characters after '#' in filename
+    Thanks to fiaxh (Dino upstream) for both patches!
+
+ -- Martin <debacle@debian.org>  Mon, 07 Jun 2021 17:43:27 +0000
+
 dino-im (0.2.0-2) unstable; urgency=medium
 
   * Add upstream patch to adjust Real for latest vala version
diff -Nru dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch
--- dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch	1970-01-01 00:00:00.000000000 +0000
+++ dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch	2021-06-07 17:39:41.000000000 +0000
@@ -0,0 +1,22 @@
+Description: Don't remove characters after '#' in filename
+Author:fiaxh <git@lightrise.org> 
+Origin: upstream
+Applied-Upstream: ce292d03e37f146853417855986bf5541b50d2ae
+Last-Update: 2021-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/plugins/http-files/src/file_provider.vala
++++ b/plugins/http-files/src/file_provider.vala
+@@ -142,10 +142,11 @@
+     }
+ 
+     private string extract_file_name_from_url(string url) {
+-        string ret = Uri.unescape_string(url.substring(url.last_index_of("/") + 1));
++        string ret = url;
+         if (ret.contains("#")) {
+             ret = ret.substring(0, ret.last_index_of("#"));
+         }
++        ret = Uri.unescape_string(ret.substring(ret.last_index_of("/") + 1));
+         return ret;
+     }
+ 
diff -Nru dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch
--- dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch	1970-01-01 00:00:00.000000000 +0000
+++ dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch	2021-06-07 17:31:09.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix file traversal issue on incoming file transfers
+Author: fiaxh <git@lightrise.org>
+Origin: upstream
+Bug: https://dino.im/security/cve-2021-33896/
+Applied-Upstream: 0c8d25b7a3e7a10a506f1e19b868fe9b0c761495
+Last-Update: 2021-06-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libdino/src/entity/file_transfer.vala
++++ b/libdino/src/entity/file_transfer.vala
+@@ -45,7 +45,18 @@
+         }
+     }
+ 
+-    public string file_name { get; set; }
++    private string file_name_;
++    public string file_name {
++        get { return file_name_; }
++        set {
++            file_name_ = Path.get_basename(value);
++            if (file_name_ == Path.DIR_SEPARATOR_S || file_name_ == ".") {
++                file_name_ = "unknown filename";
++            } else if (file_name_.has_prefix(".")) {
++                file_name_ = "_" + file_name_;
++            }
++        }
++    }
+     private string? server_file_name_ = null;
+     public string server_file_name {
+         get { return server_file_name_ ?? file_name; }
diff -Nru dino-im-0.2.0/debian/patches/series dino-im-0.2.0/debian/patches/series
--- dino-im-0.2.0/debian/patches/series	2021-03-22 22:38:23.000000000 +0000
+++ dino-im-0.2.0/debian/patches/series	2021-06-07 17:35:09.000000000 +0000
@@ -1,3 +1,5 @@
+dont-remove-characters-after-numbersign-in-filename.patch
+fix-file-traversal-issue-on-incoming-file-transfers.patch
 adjust-real-for-latest-vala.patch
 rename-to-dino-im.patch
 fix_library_path.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: