Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gajim Added an upstream commit/patch to solve security problem #863445. diff -Nru gajim-0.16.6/debian/changelog gajim-0.16.6/debian/changelog --- gajim-0.16.6/debian/changelog 2016-10-08 12:10:31.000000000 +0200 +++ gajim-0.16.6/debian/changelog 2017-05-27 00:35:49.000000000 +0200 @@ -1,3 +1,10 @@ +gajim (0.16.6-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Apply upstream patch to make XEP-0146 opt-in (Closes: #863445) + + -- W. Martin Borgert <deba...@debian.org> Fri, 26 May 2017 22:35:49 +0000 + gajim (0.16.6-1) unstable; urgency=low * New upstream release (closes: #839780) diff -Nru gajim-0.16.6/debian/patches/fix-xep-0146-opt-in gajim-0.16.6/debian/patches/fix-xep-0146-opt-in --- gajim-0.16.6/debian/patches/fix-xep-0146-opt-in 1970-01-01 01:00:00.000000000 +0100 +++ gajim-0.16.6/debian/patches/fix-xep-0146-opt-in 2017-05-27 00:35:49.000000000 +0200 @@ -0,0 +1,35 @@ +Description: Add config option to activate XEP-0146 commands + Some of the Commands have security implications, thats why we disable them per default +Author: Philipp Hörist +Origin: upstream, https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc +Bug: https://dev.gajim.org/gajim/gajim/issues/8378 +Bug-Debian: https://bugs.debian.org/863445 +Last-Update: 2017-05-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/common/commands.py ++++ b/src/common/commands.py +@@ -345,9 +345,10 @@ + def __init__(self): + # a list of all commands exposed: node -> command class + self.__commands = {} +- for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, +- LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): +- self.__commands[cmdobj.commandnode] = cmdobj ++ if gajim.config.get('remote_commands'): ++ for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, ++ LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): ++ self.__commands[cmdobj.commandnode] = cmdobj + + # a list of sessions; keys are tuples (jid, sessionid, node) + self.__sessions = {} +--- a/src/common/config.py ++++ b/src/common/config.py +@@ -313,6 +313,7 @@ + 'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim will ignore incoming attention requestd ("wizz").')], + 'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, Gajim will reopen chat windows that were opened last time Gajim was closed.')], + 'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will show an icon to show that sent message has been received by your contact')], ++ 'remote_commands': [opt_bool, False, _('If True, Gajim will execute XEP-0146 Commands. Dangerous!')], + }, {}) + + __options_per_key = { diff -Nru gajim-0.16.6/debian/patches/series gajim-0.16.6/debian/patches/series --- gajim-0.16.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ gajim-0.16.6/debian/patches/series 2017-05-27 00:35:49.000000000 +0200 @@ -0,0 +1 @@ +fix-xep-0146-opt-in unblock gajim/0.16.6-1.1
