Mercurial Mercurial > upstream > spec-files-extra / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SFEtelepathy-gabble.spec: fix jingleinfo security bug
authorjurikm
Sat, 19 Feb 2011 15:03:36 +0000
changeset 3220 2e6660cf83df
parent 3219 a4161a10c7e8
child 3221 e77dced4e7bf
SFEtelepathy-gabble.spec: fix jingleinfo security bug
ChangeLog file | annotate | diff | comparison | revisions
base-specs/telepathy-gabble.spec file | annotate | diff | comparison | revisions
patches/telepathy-gabble-10-jingleinfo.diff file | annotate | diff | comparison | revisions 
--- a/ChangeLog	Wed Feb 16 08:21:14 2011 +0000
+++ b/ChangeLog	Sat Feb 19 15:03:36 2011 +0000
@@ -1,3 +1,7 @@
+2011-02-19 Milan Jurik <[email protected]>
+
+	* SFEtelepathy-gabble.spec: fix jingleinfo security bug
+
 2011-02-14  Thomas Wagner  <[email protected]>
 
         * SFEdrupal7.spec: more permissions in apache config needed
--- a/base-specs/telepathy-gabble.spec	Wed Feb 16 08:21:14 2011 +0000
+++ b/base-specs/telepathy-gabble.spec	Sat Feb 19 15:03:36 2011 +0000
@@ -18,6 +18,8 @@
 Docdir:         %{_defaultdocdir}/telepathy-gabble
 # date:2010-10-12 owner:jefftsai type:bug
 Patch1:         telepathy-gabble-01-compatible.diff
+# jingleinfo security bug
+Patch10:	telepathy-gabble-10-jingleinfo.diff
 
 Autoreqprov: on
 Prereq:      /sbin/ldconfig
@@ -29,6 +31,7 @@
 %prep
 %setup -q
 %patch1 -p1
+%patch10 -p1
 
 %build
 %ifos linux
@@ -78,6 +81,8 @@
 %{_datadir}/doc/*
 
 %changelog
+* Sat Feb 19 2011 - Milan Jurik
+- fix jingleinfo security bug
 * Sun Feb 13 2011 - Milan Jurik
 - disable multiarch build
 * Fri Oct 08 2010 - [email protected]
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/telepathy-gabble-10-jingleinfo.diff	Sat Feb 19 15:03:36 2011 +0000
@@ -0,0 +1,26 @@
+--- telepathy-gabble-0.10.3/src/jingle-factory.c	Wed Oct  6 14:43:30 2010
++++ telepathy-gabble-0.10.3-patch/src/jingle-factory.c	Sat Feb 19 15:14:19 2011
+@@ -254,7 +254,23 @@
+   GabbleJingleFactoryPrivate *priv = fac->priv;
+   LmMessageSubType sub_type;
+   LmMessageNode *query_node, *node;
++  const gchar *from = wocky_node_get_attribute (wocky_stanza_get_top_node (message), "from");
+ 
++  if (from != NULL)
++    {
++      TpBaseConnection *base_conn = TP_BASE_CONNECTION (priv->conn);
++      TpHandleRepoIface *contact_repo = tp_base_connection_get_handles (
++          base_conn, TP_HANDLE_TYPE_CONTACT);
++      TpHandle sender = tp_handle_lookup (contact_repo, from, NULL, NULL);
++
++      if (sender != base_conn->self_handle)
++        {
++          DEBUG ("ignoring jingleinfo from '%s', not ourself nor the server",
++              from);
++          return LM_HANDLER_RESULT_ALLOW_MORE_HANDLERS;
++        }
++    }
++
+   query_node = lm_message_node_get_child_with_namespace (
+       wocky_stanza_get_top_node (message), "query", NS_GOOGLE_JINGLE_INFO);
+
upstream/spec-files-extra