Package: dino-im / 0.0.git20181129-1+deb10u1

check-roster-push-CVE-2019-16236.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Description: Check roster push authorization (CVE-2019-16236)
Author: Marvin W <git@larma.de>
Origin: upstream
Applied-Upstream: dd33f5f949248d87d34f399e8846d5ee5b8823d9
Last-Update: 2019-09-13
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/xmpp-vala/src/module/roster/module.vala
+++ b/xmpp-vala/src/module/roster/module.vala
@@ -47,6 +47,10 @@
     public void on_iq_set(XmppStream stream, Iq.Stanza iq) {
         StanzaNode? query_node = iq.stanza.get_subnode("query", NS_URI);
         if (query_node == null) return;
+        if (!iq.from.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
+            warning("Received alledged roster push from %s, ignoring", iq.from.to_string());
+            return;
+        }
 
         Flag flag = stream.get_flag(Flag.IDENTITY);
         Item item = new Item.from_stanza_node(query_node.get_subnode("item", NS_URI));