Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package dino-im. 0.2.0-3 fixes CVE-2021-33896 and another related bug. Both fixes are in upstream version 0.2.1, but applied as patches here. debdiff is attached. unblock dino-im/0.2.0-3
diff -Nru dino-im-0.2.0/debian/changelog dino-im-0.2.0/debian/changelog --- dino-im-0.2.0/debian/changelog 2021-03-22 22:38:23.000000000 +0000 +++ dino-im-0.2.0/debian/changelog 2021-06-07 17:43:27.000000000 +0000 @@ -1,3 +1,11 @@ +dino-im (0.2.0-3) unstable; urgency=critical + + * Fix file traversal issue on incoming file transfers (CVE-2021-33896) + * Don't remove characters after '#' in filename + Thanks to fiaxh (Dino upstream) for both patches! + + -- Martin <deba...@debian.org> Mon, 07 Jun 2021 17:43:27 +0000 + dino-im (0.2.0-2) unstable; urgency=medium * Add upstream patch to adjust Real for latest vala version diff -Nru dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch --- dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch 1970-01-01 00:00:00.000000000 +0000 +++ dino-im-0.2.0/debian/patches/dont-remove-characters-after-numbersign-in-filename.patch 2021-06-07 17:39:41.000000000 +0000 @@ -0,0 +1,22 @@ +Description: Don't remove characters after '#' in filename +Author:fiaxh <g...@lightrise.org> +Origin: upstream +Applied-Upstream: ce292d03e37f146853417855986bf5541b50d2ae +Last-Update: 2021-06-07 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/plugins/http-files/src/file_provider.vala ++++ b/plugins/http-files/src/file_provider.vala +@@ -142,10 +142,11 @@ + } + + private string extract_file_name_from_url(string url) { +- string ret = Uri.unescape_string(url.substring(url.last_index_of("/") + 1)); ++ string ret = url; + if (ret.contains("#")) { + ret = ret.substring(0, ret.last_index_of("#")); + } ++ ret = Uri.unescape_string(ret.substring(ret.last_index_of("/") + 1)); + return ret; + } + diff -Nru dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch --- dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch 1970-01-01 00:00:00.000000000 +0000 +++ dino-im-0.2.0/debian/patches/fix-file-traversal-issue-on-incoming-file-transfers.patch 2021-06-07 17:31:09.000000000 +0000 @@ -0,0 +1,30 @@ +Description: Fix file traversal issue on incoming file transfers +Author: fiaxh <g...@lightrise.org> +Origin: upstream +Bug: https://dino.im/security/cve-2021-33896/ +Applied-Upstream: 0c8d25b7a3e7a10a506f1e19b868fe9b0c761495 +Last-Update: 2021-06-07 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/libdino/src/entity/file_transfer.vala ++++ b/libdino/src/entity/file_transfer.vala +@@ -45,7 +45,18 @@ + } + } + +- public string file_name { get; set; } ++ private string file_name_; ++ public string file_name { ++ get { return file_name_; } ++ set { ++ file_name_ = Path.get_basename(value); ++ if (file_name_ == Path.DIR_SEPARATOR_S || file_name_ == ".") { ++ file_name_ = "unknown filename"; ++ } else if (file_name_.has_prefix(".")) { ++ file_name_ = "_" + file_name_; ++ } ++ } ++ } + private string? server_file_name_ = null; + public string server_file_name { + get { return server_file_name_ ?? file_name; } diff -Nru dino-im-0.2.0/debian/patches/series dino-im-0.2.0/debian/patches/series --- dino-im-0.2.0/debian/patches/series 2021-03-22 22:38:23.000000000 +0000 +++ dino-im-0.2.0/debian/patches/series 2021-06-07 17:35:09.000000000 +0000 @@ -1,3 +1,5 @@ +dont-remove-characters-after-numbersign-in-filename.patch +fix-file-traversal-issue-on-incoming-file-transfers.patch adjust-real-for-latest-vala.patch rename-to-dino-im.patch fix_library_path.patch
