[Pkg-xmpp-devel] Bug#1033370: dino-im: Insufficient message sender validation in Dino CVE-2023-28686

Diane Trout diane at ghic.org
Thu Mar 23 19:00:49 GMT 2023 

Package: dino-im
Version: 0.4.1-1
Severity: important

Dear Maintainer,

I saw an announcement on the dino-im muc that there's a security vulnerability
in dino.

https://dino.im/security/cve-2023-28686/

I believe this is the patch upstream recommends appling to fix it.

https://github.com/dino/dino/commit/ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec.patch

For myself I cloned dino-im from salsa

cd debian/patches/
curl -L -o cve-2023-28686.patch
https://github.com/dino/dino/commit/ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec.patch
echo cve-2023-28686.patch >> series
sbuild -d unstable

It built successfully with the patch.

I could do an NMU if you're busy, but it was also a really a trivial update to
apply.

Thanks
Diane Trout



-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing-debug'), (500, 'testing'), (110, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-6-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dino-im depends on:
ii  dino-im-common                  0.4.1-1
ii  libadwaita-1-0                  1.2.2-1
ii  libc6                           2.36-8
ii  libcairo2                       1.16.0-7
ii  libgcc-s1                       12.2.0-14
ii  libgcrypt20                     1.10.1-3
ii  libgdk-pixbuf-2.0-0             2.42.10+dfsg-1+b1
ii  libgee-0.8-2                    0.20.6-1
ii  libglib2.0-0                    2.74.6-1
ii  libgnutls30                     3.7.9-1
ii  libgpgme11                      1.18.0-3+b1
ii  libgraphene-1.0-0               1.10.8-1
ii  libgstreamer-plugins-base1.0-0  1.22.0-3
ii  libgstreamer1.0-0               1.22.0-2
ii  libgtk-4-1                      4.8.3+ds-2
ii  libgtk-4-media-gstreamer        4.8.3+ds-2
ii  libicu72                        72.1-3
ii  libnice10                       0.1.21-1
ii  libpango-1.0-0                  1.50.12+ds-1
ii  libqrencode4                    4.1.1-1
ii  libsignal-protocol-c2.3.2       2.3.3-2
ii  libsoup-3.0-0                   3.2.2-2
ii  libsqlite3-0                    3.40.1-1
ii  libsrtp2-1                      2.5.0-3
ii  libstdc++6                      12.2.0-14
ii  libwebrtc-audio-processing1     0.3-1+b1

Versions of packages dino-im recommends:
ii  ca-certificates         20230311
ii  dbus                    1.14.6-1
ii  fonts-noto-color-emoji  2.038-1
ii  network-manager         1.42.0-1

dino-im suggests no packages.

-- no debconf information

More information about the Pkg-xmpp-devel mailing list