Fix CVE 2017-5593 (User Impersonation Vulnerability) in jabber protocol

BUG: 376348 FIXED-IN: 16.12.3

Fix CVE 2017-5593 (User Impersonation Vulnerability) in jabber protocol
BUG: 376348 FIXED-IN: 16.12.3
6243764c · Pali Rohár · afd61266 · 6243764c · 6243764c
Commit 6243764c authored Feb 11, 2017 by Pali Rohár
2 changed files
--- a/protocols/jabber/libiris/patches/01_cve_2017-5593.patch
+++ b/protocols/jabber/libiris/patches/01_cve_2017-5593.patch
+diff --git a/src/xmpp/xmpp-im/xmpp_tasks.cpp b/src/xmpp/xmpp-im/xmpp_tasks.cpp
+index 0e74b71..0837548 100644
+--- a/src/xmpp/xmpp-im/xmpp_tasks.cpp
+++ b/src/xmpp/xmpp-im/xmpp_tasks.cpp
+@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElement &e)
+ 	QDomElement forward;
+ 	Message::CarbonDir cd = Message::NoCarbon;
+ 
+	Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
+ 	// Check for Carbon
+ 	QDomNodeList list = e1.childNodes();
+ 	for (int i = 0; i < list.size(); ++i) {
+ 		QDomElement el = list.at(i).toElement();
+ 
+-		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
+		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
+		    && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
+		    && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
+ 			QDomElement el1 = el.firstChildElement();
+-			if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+			if (el1.tagName() == QLatin1String("forwarded")
+			    && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ 				QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
+ 				if (!el2.isNull()) {
+ 					forward = el2;
+@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElement &e)
+ 				}
+ 			}
+ 		}
+-		else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+		else if (el.tagName() == QLatin1String("forwarded")
+			 && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+ 			forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
+ 			// TODO <delay> element support
+ 			if (!forward.isNull()) {
+@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElement &e)
+ 		}
+ 	}
+ 
+-	QString from = e1.attribute(QLatin1String("from"));
+ 	Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
+ 	if(s.isNull()) {
+ 		//printf("take: bad stanza??\n");
+@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElement &e)
+ 		return false;
+ 	}
+ 	if (!forward.isNull()) {
+-		m.setForwardedFrom(Jid(from));
+		m.setForwardedFrom(fromJid);
+ 		m.setCarbonDirection(cd);
+ 	}
+ 
--- a/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
+++ b/protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp
@@ -888,14 +888,18 @@ bool JT_PushMessage::take(const QDomElement &e)
 	QDomElement forward;
 	Message::CarbonDir cd = Message::NoCarbon;

+	Jid fromJid = Jid(e1.attribute(QLatin1String("from")));
 	// Check for Carbon
 	QDomNodeList list = e1.childNodes();
 	for (int i = 0; i < list.size(); ++i) {
 		QDomElement el = list.at(i).toElement();

-		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2") && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))) {
+		if (el.attribute("xmlns") == QLatin1String("urn:xmpp:carbons:2")
+		    && (el.tagName() == QLatin1String("received") || el.tagName() == QLatin1String("sent"))
+		    && fromJid.compare(Jid(e1.attribute(QLatin1String("to"))), false)) {
 			QDomElement el1 = el.firstChildElement();
-			if (el1.tagName() == QLatin1String("forwarded") && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+			if (el1.tagName() == QLatin1String("forwarded")
+			    && el1.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
 				QDomElement el2 = el1.firstChildElement(QLatin1String("message"));
 				if (!el2.isNull()) {
 					forward = el2;
@@ -904,7 +908,8 @@ bool JT_PushMessage::take(const QDomElement &e)
 				}
 			}
 		}
-		else if (el.tagName() == QLatin1String("forwarded") && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
+		else if (el.tagName() == QLatin1String("forwarded")
+			 && el.attribute(QLatin1String("xmlns")) == QLatin1String("urn:xmpp:forward:0")) {
 			forward = el.firstChildElement(QLatin1String("message")); // currently only messages are supportted
 			// TODO <delay> element support
 			if (!forward.isNull()) {
@@ -913,7 +918,6 @@ bool JT_PushMessage::take(const QDomElement &e)
 		}
 	}

-	QString from = e1.attribute(QLatin1String("from"));
 	Stanza s = client()->stream().createStanza(addCorrectNS(forward.isNull()? e1 : forward));
 	if(s.isNull()) {
 		//printf("take: bad stanza??\n");
@@ -926,7 +930,7 @@ bool JT_PushMessage::take(const QDomElement &e)
 		return false;
 	}
 	if (!forward.isNull()) {
-		m.setForwardedFrom(Jid(from));
+		m.setForwardedFrom(fromJid);
 		m.setCarbonDirection(cd);
 	}