diff -Nru dino-im-0.0.git20180130/debian/changelog dino-im-0.0.git20180130/debian/changelog --- dino-im-0.0.git20180130/debian/changelog 2018-01-30 23:42:17.000000000 +0100 +++ dino-im-0.0.git20180130/debian/changelog 2020-03-04 15:20:07.000000000 +0100 @@ -1,3 +1,14 @@ +dino-im (0.0.git20180130-1ubuntu18.04.1) bionic-security; urgency=high + + * Cherry pick upstream security fixes (LP: #1866113) + - SECURITY UPDATE: Fix check of source of a carbons message (CVE-2019-16235) + - SECURITY UPDATE: Check roster push authorization (CVE-2019-16236) + - SECURITY UPDATE: Fix check of source of MAM message (CVE-2019-16237) + * Accept IV sizes of 12 in addition to 16 to enable reading messages + sent from clients using 12-byte IVs again (LP: #1866115) + + -- Julian Andres Klode Wed, 04 Mar 2020 15:20:07 +0100 + dino-im (0.0.git20180130-1) unstable; urgency=medium * New upstream git snapshot diff -Nru dino-im-0.0.git20180130/debian/control dino-im-0.0.git20180130/debian/control --- dino-im-0.0.git20180130/debian/control 2018-01-30 23:41:20.000000000 +0100 +++ dino-im-0.0.git20180130/debian/control 2020-03-04 15:20:07.000000000 +0100 @@ -1,5 +1,6 @@ Source: dino-im -Maintainer: Debian XMPP Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XMPP Maintainers Uploaders: W. Martin Borgert , Dominik George Section: net diff -Nru dino-im-0.0.git20180130/debian/patches/Allow-12-for-the-size-of-the-IV.patch dino-im-0.0.git20180130/debian/patches/Allow-12-for-the-size-of-the-IV.patch --- dino-im-0.0.git20180130/debian/patches/Allow-12-for-the-size-of-the-IV.patch 1970-01-01 01:00:00.000000000 +0100 +++ dino-im-0.0.git20180130/debian/patches/Allow-12-for-the-size-of-the-IV.patch 2020-03-04 15:20:07.000000000 +0100 @@ -0,0 +1,35 @@ +From 7497f1f17b941c09f84e6e4c6a5979e9c9b79851 Mon Sep 17 00:00:00 2001 +From: Tim Henkes +Date: Sun, 18 Nov 2018 16:52:57 +0100 +Subject: [PATCH] Allow 12 for the size of the IV +Applied-Upstream: 7497f1f17b941c09f84e6e4c6a5979e9c9b79851 + +--- + plugins/signal-protocol/src/signal_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/plugins/signal-protocol/src/signal_helper.c b/plugins/signal-protocol/src/signal_helper.c +index 7de934e..91fcefb 100644 +--- a/plugins/signal-protocol/src/signal_helper.c ++++ b/plugins/signal-protocol/src/signal_helper.c +@@ -222,7 +222,7 @@ int signal_vala_encrypt(signal_buffer **output, + int algo, mode; + if (aes_cipher(cipher, key_len, &algo, &mode)) return SG_ERR_UNKNOWN; + +- if (iv_len != 16) return SG_ERR_UNKNOWN; ++ if (iv_len != 16 && iv_len != 12) return SG_ERR_UNKNOWN; + + gcry_cipher_hd_t ctx = {0}; + +@@ -283,7 +283,7 @@ int signal_vala_decrypt(signal_buffer **output, + if (aes_cipher(cipher, key_len, &algo, &mode)) return SG_ERR_UNKNOWN; + if (ciphertext_len == 0) return SG_ERR_UNKNOWN; + +- if (iv_len != 16) return SG_ERR_UNKNOWN; ++ if (iv_len != 16 && iv_len != 12) return SG_ERR_UNKNOWN; + + gcry_cipher_hd_t ctx = {0}; + +-- +2.25.0 + diff -Nru dino-im-0.0.git20180130/debian/patches/check-carbons-CVE-2019-16235.patch dino-im-0.0.git20180130/debian/patches/check-carbons-CVE-2019-16235.patch --- dino-im-0.0.git20180130/debian/patches/check-carbons-CVE-2019-16235.patch 1970-01-01 01:00:00.000000000 +0100 +++ dino-im-0.0.git20180130/debian/patches/check-carbons-CVE-2019-16235.patch 2020-03-04 15:20:07.000000000 +0100 @@ -0,0 +1,21 @@ +Description: Fix check of source of a carbons message (CVE-2019-16235) +Author: Marvin W +Origin: upstream +Applied-Upstream: e84f2c49567e86d2a261ea264d65c4adc549c930 +Last-Update: 2019-09-13 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/xmpp-vala/src/module/xep/0280_message_carbons.vala ++++ b/xmpp-vala/src/module/xep/0280_message_carbons.vala +@@ -52,9 +52,9 @@ + StanzaNode? forwarded_node = carbons_node.get_subnode("forwarded", "urn:xmpp:forward:0"); + if (forwarded_node != null) { + StanzaNode? message_node = forwarded_node.get_subnode("message", Xmpp.NS_URI); +- string? from_attribute = message_node.get_attribute("from", Xmpp.NS_URI); + // Any forwarded copies received by a Carbons-enabled client MUST be from that user's bare JID; any copies that do not meet this requirement MUST be ignored. +- if (from_attribute != null && from_attribute == stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid.to_string()) { ++ if (!message.from.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) { ++ warning("Received alleged carbon message from %s, ignoring", message.from.to_string()); + return true; + } + if (received_node != null) { diff -Nru dino-im-0.0.git20180130/debian/patches/check-mam-source-CVE-2019-16237.patch dino-im-0.0.git20180130/debian/patches/check-mam-source-CVE-2019-16237.patch --- dino-im-0.0.git20180130/debian/patches/check-mam-source-CVE-2019-16237.patch 1970-01-01 01:00:00.000000000 +0100 +++ dino-im-0.0.git20180130/debian/patches/check-mam-source-CVE-2019-16237.patch 2020-03-04 15:20:07.000000000 +0100 @@ -0,0 +1,27 @@ +Description: Fix check of source of MAM message (CVE-2019-16237) +Author: fiaxh +Origin: upstream +Applied-Upstream: 307f16cc86dd2b95aa02ab8a85110e4a2d5e7363 +Last-Update: 2019-09-13 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/xmpp-vala/src/module/xep/0313_message_archive_management.vala ++++ b/xmpp-vala/src/module/xep/0313_message_archive_management.vala +@@ -94,11 +94,16 @@ + public override string[] after_actions { get { return after_actions_const; } } + + public override async bool run(XmppStream stream, MessageStanza message) { +- // if (message.from != stream.remote_name) return; + if (stream.get_flag(Flag.IDENTITY) == null) return false; + + StanzaNode? message_node = message.stanza.get_deep_subnode(NS_VER(stream) + ":result", "urn:xmpp:forward:0:forwarded", Xmpp.NS_URI + ":message"); + if (message_node != null) { ++ // MAM messages must come from our server // TODO or a MUC server ++ if (!message.from.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) { ++ warning("Received alledged MAM message from %s, ignoring", message.from.to_string()); ++ return true; ++ } ++ + StanzaNode? forward_node = message.stanza.get_deep_subnode(NS_VER(stream) + ":result", "urn:xmpp:forward:0:forwarded", DelayedDelivery.NS_URI + ":delay"); + DateTime? datetime = DelayedDelivery.Module.get_time_for_node(forward_node); + message.add_flag(new MessageFlag(datetime)); diff -Nru dino-im-0.0.git20180130/debian/patches/check-roster-push-CVE-2019-16236.patch dino-im-0.0.git20180130/debian/patches/check-roster-push-CVE-2019-16236.patch --- dino-im-0.0.git20180130/debian/patches/check-roster-push-CVE-2019-16236.patch 1970-01-01 01:00:00.000000000 +0100 +++ dino-im-0.0.git20180130/debian/patches/check-roster-push-CVE-2019-16236.patch 2020-03-04 15:20:07.000000000 +0100 @@ -0,0 +1,20 @@ +Description: Check roster push authorization (CVE-2019-16236) +Author: Marvin W +Origin: upstream +Applied-Upstream: dd33f5f949248d87d34f399e8846d5ee5b8823d9 +Last-Update: 2019-09-13 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/xmpp-vala/src/module/roster/module.vala ++++ b/xmpp-vala/src/module/roster/module.vala +@@ -47,6 +47,10 @@ + public void on_iq_set(XmppStream stream, Iq.Stanza iq) { + StanzaNode? query_node = iq.stanza.get_subnode("query", NS_URI); + if (query_node == null) return; ++ if (!iq.from.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) { ++ warning("Received alledged roster push from %s, ignoring", iq.from.to_string()); ++ return; ++ } + + Flag flag = stream.get_flag(Flag.IDENTITY); + Item item = new Item.from_stanza_node(query_node.get_subnode("item", NS_URI)); diff -Nru dino-im-0.0.git20180130/debian/patches/series dino-im-0.0.git20180130/debian/patches/series --- dino-im-0.0.git20180130/debian/patches/series 2018-01-30 23:39:32.000000000 +0100 +++ dino-im-0.0.git20180130/debian/patches/series 2020-03-04 15:20:07.000000000 +0100 @@ -1,3 +1,7 @@ +check-mam-source-CVE-2019-16237.patch +check-roster-push-CVE-2019-16236.patch +check-carbons-CVE-2019-16235.patch +Allow-12-for-the-size-of-the-IV.patch no_git_during_build.patch rename-to-dino-im.patch fix_library_path.patch