CVE-2021-41055 (https://dev.gajim.org/gajim/gajim/-/tags/gajim-1.3.3): Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID equals the correction ID. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0323090c3c3607e8f6c419f211d05c68f0a1190 commit d0323090c3c3607e8f6c419f211d05c68f0a1190 Author: Hanno Böck <hanno@gentoo.org> AuthorDate: 2021-10-19 14:36:20 +0000 Commit: Hanno Böck <hanno@gentoo.org> CommitDate: 2021-10-19 14:36:20 +0000 net-im/gajim: Version bump Fixes CVE-2021-41055 (DoS via crafted message). Fix DISTUTILS_USE_SETUPTOOLS warning. Remove historymanager patch, merged upstream. Bug: https://bugs.gentoo.org/show_bug.cgi?id=817791 Closes: https://bugs.gentoo.org/show_bug.cgi?id=809050 Closes: https://bugs.gentoo.org/show_bug.cgi?id=818799 Signed-off-by: Hanno Böck <hanno@gentoo.org> Package-Manager: Portage-3.0.28, Repoman-3.0.3 net-im/gajim/Manifest | 1 + net-im/gajim/gajim-1.3.3.ebuild | 93 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+)
Thanks! Please file a stable request and block this bug when ready
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cf577c73fc89c64cd405687fcd482fba1ddcebc commit 4cf577c73fc89c64cd405687fcd482fba1ddcebc Author: Hanno Böck <hanno@gentoo.org> AuthorDate: 2022-03-05 11:04:57 +0000 Commit: Hanno Böck <hanno@gentoo.org> CommitDate: 2022-03-05 11:04:57 +0000 net-im/gajim: Cleanup old versions Bug: https://bugs.gentoo.org/817791 Signed-off-by: Hanno Böck <hanno@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 net-im/gajim/Manifest | 2 - .../files/gajim-1.3.2-fix-historymanager.diff | 44 ---------- net-im/gajim/gajim-1.3.1_p2.ebuild | 88 -------------------- net-im/gajim/gajim-1.3.2.ebuild | 97 ---------------------- 4 files changed, 231 deletions(-)
Sorry, took a bit longer as 1.3.3 originally had an issue with the plugin installer (resolved in 1.3.3_p2 which is now also stable). IMHO we don't necessarily need a GLSA for this one, as it's "just" a crash.
(In reply to Hanno Böck from comment #5) > Sorry, took a bit longer as 1.3.3 originally had an issue with the plugin > installer (resolved in 1.3.3_p2 which is now also stable). > > IMHO we don't necessarily need a GLSA for this one, as it's "just" a crash. Fine by me, thank you!