From 918bcdc92651c64811663cac8c44365247004a79 Mon Sep 17 00:00:00 2001 From: Ark74 Date: Fri, 1 Mar 2024 11:57:31 -0600 Subject: [PATCH] pidgin: apply CVE-2022-26491 fix not available upstream. --- .../pidgin/cve/001_fix_CVE-2022-26491.patch | 77 +++++++++++++++++++ helpers/make-pidgin | 9 ++- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 helpers/DATA/pidgin/cve/001_fix_CVE-2022-26491.patch diff --git a/helpers/DATA/pidgin/cve/001_fix_CVE-2022-26491.patch b/helpers/DATA/pidgin/cve/001_fix_CVE-2022-26491.patch new file mode 100644 index 0000000..5d39537 --- /dev/null +++ b/helpers/DATA/pidgin/cve/001_fix_CVE-2022-26491.patch @@ -0,0 +1,77 @@ +Remove _xmppconnect support + +It has always been vulnerable to MITM attacks when it is not used with DNSSEC, +and has been removed from XEP-0156 because of that. We have been issued +CVE-2022-26491 for this issue. + +More discussion can be found at +https://mail.jabber.org/pipermail/standards/2022-February/038759.html. + +Testing Done: +Compiled + +Reviewed at https://reviews.imfreedom.org/r/1357/ + +--- a/libpurple/protocols/jabber/jabber.c Sat Apr 23 05:05:54 2022 -0500 ++++ b/libpurple/protocols/jabber/jabber.c Wed Apr 27 23:41:06 2022 -0500 +@@ -798,48 +798,6 @@ + } + + static void +-txt_resolved_cb(GList *responses, gpointer data) +-{ +- JabberStream *js = data; +- gboolean found = FALSE; +- +- js->srv_query_data = NULL; +- +- while (responses) { +- PurpleTxtResponse *resp = responses->data; +- gchar **token; +- token = g_strsplit(purple_txt_response_get_content(resp), "=", 2); +- if (purple_strequal(token[0], "_xmpp-client-xbosh")) { +- purple_debug_info("jabber","Found alternative connection method using %s at %s.\n", token[0], token[1]); +- js->bosh = jabber_bosh_connection_init(js, token[1]); +- g_strfreev(token); +- break; +- } +- g_strfreev(token); +- purple_txt_response_destroy(resp); +- responses = g_list_delete_link(responses, responses); +- } +- +- if (js->bosh) { +- found = TRUE; +- jabber_bosh_connection_connect(js->bosh); +- } +- +- if (!found) { +- purple_debug_warning("jabber", "Unable to find alternative XMPP connection " +- "methods after failing to connect directly.\n"); +- purple_connection_error_reason(js->gc, +- PURPLE_CONNECTION_ERROR_NETWORK_ERROR, +- _("Unable to connect")); +- return; +- } +- +- if (responses) { +- g_list_free_full(responses, (GDestroyNotify)purple_txt_response_destroy); +- } +-} +- +-static void + jabber_login_callback(gpointer data, gint source, const gchar *error) + { + PurpleConnection *gc = data; +@@ -849,11 +807,6 @@ + if (js->srv_rec != NULL) { + purple_debug_error("jabber", "Unable to connect to server: %s. Trying next SRV record or connecting directly.\n", error); + try_srv_connect(js); +- } else { +- purple_debug_info("jabber","Couldn't connect directly to %s. Trying to find alternative connection methods, like BOSH.\n", js->user->domain); +- js->srv_query_data = purple_txt_resolve_account( +- purple_connection_get_account(gc), "_xmppconnect", +- js->user->domain, txt_resolved_cb, js); + } + return; + } diff --git a/helpers/make-pidgin b/helpers/make-pidgin index 0c20564..675d722 100644 --- a/helpers/make-pidgin +++ b/helpers/make-pidgin @@ -17,7 +17,7 @@ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # -VERSION=1 +VERSION=2 COMPONENT=main . ./config @@ -30,6 +30,13 @@ done sed '/PIDGIN_PREFS_ROOT.*conv_focus/s/TRUE/FALSE/' -i pidgin/gtksound.c +# apply upstream pidgin security fixes / patches not yet in ubuntu. +for patch in $(ls -v ${DATA}/cve/*.patch) +do + echo "Applying $patch" + patch --no-backup-if-mismatch -Np1 < $patch +done + changelog "Compiled for Trisquel" package