1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
commit 6243764c4fd0985320d4a10b48051cc418d584ad
Author: Pali Rohár <pali.rohar@gmail.com>
Date: Sat Feb 11 13:24:59 2017 +0100
Fix CVE 2017-5593 (User Impersonation Vulnerability) in jabber protocol
BUG: 376348
FIXED-IN: 16.12.3
diff --git a/protocols/jabber/libiris/patches/01_cve_2017-5593.patch b/protocols/jabber/libiris/patches/01_cve_2017-5593.patch
new file mode 100644
index 000000000..573ca66bc
--- /dev/null
+++ b/protocols/jabber/libiris/patches/01_cve_2017-5593.patch
@@ -0,0 +1,52 @@
+diff --git a/src/xmpp/xmpp-im/xmpp_tasks.cpp b/src/xmpp/xmpp-im/xmpp_tasks.cpp
+index 0e74b71..0837548 100644
+--- a/src/xmpp/xmpp-im/xmpp_tasks.cpp
++++ b/src/xmpp/xmpp-im/xmpp_tasks.cpp
+@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElement &e)
+ QDomElement forward;
+ Message::CarbonDir cd = Message::NoCarbon;
+
++ Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
+ // Check for Carbon
+ QDomNodeList list = e1.childNodes();
+ for (int i = 0; i < list.size(); ++i) {
+ QDomElement el = list.at(i).toElement();
+
+- if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
++ if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
++ && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
++ && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
+ QDomElement el1 = el.firstChildElement();
+- if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
++ if (el1.tagName() == QLatin1String("forwarded")
++ && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
+ if (!el2.isNull()) {
+ forward = el2;
+@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElement &e)
+ }
+ }
+ }
+- else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
++ else if (el.tagName() == QLatin1String("forwarded")
++ && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
+ // TODO <delay> element support
+ if (!forward.isNull()) {
+@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElement &e)
+ }
+ }
+
+- QString from = e1.attribute(QLatin1String("from"));
+ Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
+ if(s.isNull()) {
+ //printf("take: bad stanza??\n");
+@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElement &e)
+ return false;
+ }
+ if (!forward.isNull()) {
+- m.setForwardedFrom(Jid(from));
++ m.setForwardedFrom(fromJid);
+ m.setCarbonDirection(cd);
+ }
+
diff --git a/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp b/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
index 0e74b7126..083754867 100644
--- a/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
+++ b/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElement &e)
QDomElement forward;
Message::CarbonDir cd = Message::NoCarbon;
+ Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
// Check for Carbon
QDomNodeList list = e1.childNodes();
for (int i = 0; i < list.size(); ++i) {
QDomElement el = list.at(i).toElement();
- if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
+ if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
+ && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
+ && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
QDomElement el1 = el.firstChildElement();
- if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ if (el1.tagName() == QLatin1String("forwarded")
+ && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
if (!el2.isNull()) {
forward = el2;
@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElement &e)
}
}
}
- else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ else if (el.tagName() == QLatin1String("forwarded")
+ && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
// TODO <delay> element support
if (!forward.isNull()) {
@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElement &e)
}
}
- QString from = e1.attribute(QLatin1String("from"));
Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
if(s.isNull()) {
//printf("take: bad stanza??\n");
@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElement &e)
return false;
}
if (!forward.isNull()) {
- m.setForwardedFrom(Jid(from));
+ m.setForwardedFrom(fromJid);
m.setCarbonDirection(cd);
}
|
GitWeb