Control: tags 854738 + patch Control: tags 854738 + pending Dear maintainer,
I've prepared an NMU for mcabber (versioned as 1.0.4-1.1) and uploaded it to unstable. Please find attached the debdiff. Regards, Markus
diff -Nru mcabber-1.0.4/debian/changelog mcabber-1.0.4/debian/changelog --- mcabber-1.0.4/debian/changelog 2016-12-20 13:50:12.000000000 +0100 +++ mcabber-1.0.4/debian/changelog 2017-02-26 18:42:08.000000000 +0100 @@ -1,3 +1,14 @@ +mcabber (1.0.4-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2017-5604: + An incorrect implementation of XEP-0280: Message Carbons in mcabber allows + a remote attacker to impersonate any user, including contacts, in the + vulnerable application's display. This allows for various kinds of social + engineering attacks. (Closes: #854738) + + -- Markus Koschany <a...@debian.org> Sun, 26 Feb 2017 18:42:08 +0100 + mcabber (1.0.4-1) unstable; urgency=medium * New upstream version which fixes roster push attacks (CVE-2016-9928, diff -Nru mcabber-1.0.4/debian/patches/CVE-2017-5604.patch mcabber-1.0.4/debian/patches/CVE-2017-5604.patch --- mcabber-1.0.4/debian/patches/CVE-2017-5604.patch 1970-01-01 01:00:00.000000000 +0100 +++ mcabber-1.0.4/debian/patches/CVE-2017-5604.patch 2017-02-26 18:42:08.000000000 +0100 @@ -0,0 +1,35 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 26 Feb 2017 18:39:28 +0100 +Subject: CVE-2017-5604 + +An incorrect implementation of XEP-0280: Message Carbons in mcabber allows a +remote attacker to impersonate any user, including contacts, in the vulnerable +application's display. This allows for various kinds of social engineering +attacks. + +Bug-Debian: https://bugs.debian.org/854738 +Origin: https://mcabber.com/hg/rev/2a9569fd7644 +--- + mcabber/xmpp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/mcabber/xmpp.c b/mcabber/xmpp.c +index 7524ee8..e297aa7 100644 +--- a/mcabber/xmpp.c ++++ b/mcabber/xmpp.c +@@ -1159,6 +1159,15 @@ static LmHandlerResult handle_messages(LmMessageHandler *handler, + + // Parse a message that is send to one of our other resources + if (!g_strcmp0(carbon_name, "received")) { ++ // Check envelope JID for carbon messages ++ gchar *self_bjid = jidtodisp(lm_connection_get_jid(lconnection)); ++ if (g_strcmp0(self_bjid, bjid)) { ++ scr_LogPrint(LPRINT_LOGNORM, "Received invalid carbon copy!"); ++ g_free(self_bjid); ++ goto handle_messages_return; ++ } ++ g_free(self_bjid); ++ + from = lm_message_node_get_attribute(x, "from"); + if (!from) { + scr_LogPrint(LPRINT_LOGNORM, "Malformed carbon copy!"); diff -Nru mcabber-1.0.4/debian/patches/series mcabber-1.0.4/debian/patches/series --- mcabber-1.0.4/debian/patches/series 2016-12-20 13:50:12.000000000 +0100 +++ mcabber-1.0.4/debian/patches/series 2017-02-26 18:42:08.000000000 +0100 @@ -1 +1,2 @@ spelling_manpage +CVE-2017-5604.patch
