Ubuntu
dino-im package

CVE-2019-16235, CVE-2019-16236, CVE-2019-16237

Bug #1866113 reported by Julian Andres Klode on 2020-03-04

264

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	dino-im (Ubuntu)	Fix Released	Undecided	Unassigned
	Bionic	Fix Released	Undecided	Unassigned

Bug Description

A triplet of security issues.

CVE References

Revision history for this message

Julian Andres Klode (juliank) wrote on 2020-03-04:

#1

dino-im_0.0.git20180130-1ubuntu18.04.1.diff Edit (8.7 KiB, text/plain)

Revision history for this message

Julian Andres Klode (juliank) wrote on 2020-03-04:

#2

Compiled in autopkgtest, installed into lxd container, and tested with the test case for bug 1866115 - which this also includes.

The goal is to build in security, push to proposed to SRU verification, and then push to -security, as we need to get the IV acceptance change out fairly quickly so later dino versions can switch to sending 12-byte IVs w/o breaking compat with bionic users.

Afterwards I'll try to SRU dino 0.1.0 stable release as that includes a ton more (mostly) fixes.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2020-03-05:

#3

You can find it built here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Changed in dino-im (Ubuntu Bionic):
status:	New → In Progress

Julian Andres Klode (juliank) on 2020-03-05

Changed in dino-im (Ubuntu):
status:	New → Fix Released

Revision history for this message

Julian Andres Klode (juliank) wrote on 2020-03-09:

#4

I have installed dino-im from the PPA and tested:

- Group chat
- Catching up with history
- Verification for bug #1866115

Everything seems to work fine.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-03-17:

#5

This bug was fixed in the package dino-im - 0.0.git20180130-1ubuntu0.1

---------------
dino-im (0.0.git20180130-1ubuntu0.1) bionic-security; urgency=high

  * Cherry pick upstream security fixes (LP: #1866113)
    - SECURITY UPDATE: Fix check of source of a carbons message (CVE-2019-16235)
    - SECURITY UPDATE: Check roster push authorization (CVE-2019-16236)
    - SECURITY UPDATE: Fix check of source of MAM message (CVE-2019-16237)
  * Accept IV sizes of 12 in addition to 16 to enable reading messages
    sent from clients using 12-byte IVs again (LP: #1866115)

-- Julian Andres Klode <email address hidden> Wed, 04 Mar 2020 15:20:07 +0100

Changed in dino-im (Ubuntu Bionic):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

dino-im_0.0.git20180130-1ubuntu18.04.1.diff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.