Hello community, here is the log from the commit of package python3-sleekxmpp for openSUSE:Factory checked in at 2017-01-25 23:24:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-sleekxmpp (Old) and /work/SRC/openSUSE:Factory/.python3-sleekxmpp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python3-sleekxmpp" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-sleekxmpp/python3-sleekxmpp.changes 2016-09-13 22:23:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3-sleekxmpp.new/python3-sleekxmpp.changes 2017-01-25 23:24:18.306004417 +0100 @@ -1,0 +2,11 @@ +Sat Dec 10 09:12:08 UTC 2016 - sor.alexei@meowr.ru + +- Add sleekxmpp-fix-legacyauth.patch by nyov: Fix an error in + legacyauth support. +- Add sleekxmpp-check-roster-push-origin.patch by mathieui: Check + origin of roster pushes (slixmpp commits ffdb6ff, ffd9436, + bsc#1014976). + See Gajim's CVE-2015-8688 and + https://gultsch.de/gajim_roster_push_and_message_interception.html + +------------------------------------------------------------------- New: ---- sleekxmpp-check-roster-push-origin.patch sleekxmpp-fix-legacyauth.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-sleekxmpp.spec ++++++ --- /var/tmp/diff_new_pack.Iji3ua/_old 2017-01-25 23:24:18.813927832 +0100 +++ /var/tmp/diff_new_pack.Iji3ua/_new 2017-01-25 23:24:18.817927229 +0100 @@ -27,6 +27,10 @@ Source: https://files.pythonhosted.org/packages/source/s/%{_name}/%{_name}-%{version}.tar.gz # PATCH-FIX-OPENSUSE sleekxmpp-fix-dnspython.patch sor.alexei@meowr.ru -- Fix compatibility with recent dnspython. Patch0: %{_name}-fix-dnspython.patch +# PATCH-FIX-OPENSUSE sleekxmpp-fix-legacyauth.patch nyov@nexnode.net -- Fix an error in legacyauth support. +Patch1: %{_name}-fix-legacyauth.patch +# PATCH-FIX-OPENSUSE sleekxmpp-check-roster-push-origin.patch bsc#1014976 mathieui@mathieui.net -- Check origin of roster pushes (slixmpp commits ffdb6ff, ffd9436). +Patch2: %{_name}-check-roster-push-origin.patch BuildRequires: python3 BuildRequires: python3-dnspython BuildRequires: python3-xml @@ -42,6 +46,8 @@ %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build python3 setup.py build ++++++ sleekxmpp-check-roster-push-origin.patch ++++++ --- a/sleekxmpp/clientxmpp.py +++ b/sleekxmpp/clientxmpp.py @@ -16,6 +16,7 @@ from __future__ import absolute_import, import logging +from sleekxmpp.jid import JID from sleekxmpp.stanza import StreamFeatures from sleekxmpp.basexmpp import BaseXMPP from sleekxmpp.exceptions import XMPPError @@ -99,7 +100,17 @@ class ClientXMPP(BaseXMPP): self.add_event_handler('roster_update', self._handle_roster) self.register_stanza(StreamFeatures) - + def roster_push_filter(iq): + from_ = iq['from'] + if from_ and from_ != JID('') and from_ != self.boundjid.bare: + reply = iq.reply() + reply['type'] = 'error' + reply['error']['type'] = 'cancel' + reply['error']['code'] = 503 + reply['error']['condition'] = 'service-unavailable' + reply.send() + return + self.event('roster_update', iq) self.register_handler( Callback('Stream Features', MatchXPath('{%s}features' % self.stream_ns), @@ -107,7 +118,7 @@ class ClientXMPP(BaseXMPP): self.register_handler( Callback('Roster Update', StanzaPath('iq@type=set/roster'), - lambda iq: self.event('roster_update', iq))) + roster_push_filter)) # Setup default stream features self.register_plugin('feature_starttls') ++++++ sleekxmpp-fix-legacyauth.patch ++++++ --- a/sleekxmpp/plugins/xep_0078/legacyauth.py +++ b/sleekxmpp/plugins/xep_0078/legacyauth.py @@ -112,7 +112,7 @@ class XEP_0078(BasePlugin): stream_id = bytes(self.xmpp.stream_id, encoding='utf-8') password = bytes(self.xmpp.password, encoding='utf-8') - digest = hashlib.sha1(b'%s%s' % (stream_id, password)).hexdigest() + digest = hashlib.sha1('%s%s' % (stream_id, password)).hexdigest() iq['auth']['digest'] = digest else: log.warning('Authenticating via jabber:iq:auth Plain.')