CMXSL.org/package-helpers-cmxsl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pidgin: apply CVE-2022-26491 fix not available upstream.

Browse source
This commit is contained in:
Ark74 2024-03-01 11:57:31 -06:00
parent 5776c03903
commit 918bcdc926
2 changed files with 85 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

77
helpers/DATA/pidgin/cve/001_fix_CVE-2022-26491.patch Normal file
View file

@ -0,0 +1,77 @@
Remove _xmppconnect support
It has always been vulnerable to MITM attacks when it is not used with DNSSEC,
and has been removed from XEP-0156 because of that. We have been issued
CVE-2022-26491 for this issue.
More discussion can be found at
https://mail.jabber.org/pipermail/standards/2022-February/038759.html.
Testing Done:
Compiled
Reviewed at https://reviews.imfreedom.org/r/1357/
--- a/libpurple/protocols/jabber/jabber.c Sat Apr 23 05:05:54 2022 -0500
+++ b/libpurple/protocols/jabber/jabber.c Wed Apr 27 23:41:06 2022 -0500
@@ -798,48 +798,6 @@
}
static void
-txt_resolved_cb(GList *responses, gpointer data)
-{
- JabberStream *js = data;
- gboolean found = FALSE;
-
- js->srv_query_data = NULL;
-
- while (responses) {
- PurpleTxtResponse *resp = responses->data;
- gchar **token;
- token = g_strsplit(purple_txt_response_get_content(resp), "=", 2);
- if (purple_strequal(token[0], "_xmpp-client-xbosh")) {
- purple_debug_info("jabber","Found alternative connection method using %s at %s.\n", token[0], token[1]);
- js->bosh = jabber_bosh_connection_init(js, token[1]);
- g_strfreev(token);
- break;
- }
- g_strfreev(token);
- purple_txt_response_destroy(resp);
- responses = g_list_delete_link(responses, responses);
- }
-
- if (js->bosh) {
- found = TRUE;
- jabber_bosh_connection_connect(js->bosh);
- }
-
- if (!found) {
- purple_debug_warning("jabber", "Unable to find alternative XMPP connection "
- "methods after failing to connect directly.\n");
- purple_connection_error_reason(js->gc,
- PURPLE_CONNECTION_ERROR_NETWORK_ERROR,
- _("Unable to connect"));
- return;
- }
-
- if (responses) {
- g_list_free_full(responses, (GDestroyNotify)purple_txt_response_destroy);
- }
-}
-
-static void
jabber_login_callback(gpointer data, gint source, const gchar *error)
{
PurpleConnection *gc = data;
@@ -849,11 +807,6 @@
if (js->srv_rec != NULL) {
purple_debug_error("jabber", "Unable to connect to server: %s. Trying next SRV record or connecting directly.\n", error);
try_srv_connect(js);
- } else {
- purple_debug_info("jabber","Couldn't connect directly to %s. Trying to find alternative connection methods, like BOSH.\n", js->user->domain);
- js->srv_query_data = purple_txt_resolve_account(
- purple_connection_get_account(gc), "_xmppconnect",
- js->user->domain, txt_resolved_cb, js);
}
return;
}

9
helpers/make-pidgin
View file

@ -17,7 +17,7 @@
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
# #
VERSION=1 VERSION=2
COMPONENT=main COMPONENT=main
. ./config . ./config
@ -30,6 +30,13 @@ done
sed '/PIDGIN_PREFS_ROOT.*conv_focus/s/TRUE/FALSE/' -i pidgin/gtksound.c sed '/PIDGIN_PREFS_ROOT.*conv_focus/s/TRUE/FALSE/' -i pidgin/gtksound.c
# apply upstream pidgin security fixes / patches not yet in ubuntu.
for patch in $(ls -v ${DATA}/cve/*.patch)
do
echo "Applying $patch"
patch --no-backup-if-mismatch -Np1 < $patch
done
changelog "Compiled for Trisquel" changelog "Compiled for Trisquel"
package package