Version in base suite: 0.2.0-3

Base version: dino-im_0.2.0-3
Target version: dino-im_0.2.0-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/dino-im/dino-im_0.2.0-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/dino-im/dino-im_0.2.0-3+deb11u1.dsc

 changelog                    |    7 +++++++
 patches/cve-2023-28686.patch |   37 +++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 45 insertions(+)

diff -Nru dino-im-0.2.0/debian/changelog dino-im-0.2.0/debian/changelog
--- dino-im-0.2.0/debian/changelog	2021-06-07 17:43:27.000000000 +0000
+++ dino-im-0.2.0/debian/changelog	2023-03-24 00:48:22.000000000 +0000
@@ -1,3 +1,10 @@
+dino-im (0.2.0-3+deb11u1) bullseye-security; urgency=high
+
+  * Fix for: [CVE-2023-28686] Insufficient message sender validation in
+    Dino (Closes: #1033370)
+
+ -- Martin <debacle@debian.org>  Fri, 24 Mar 2023 00:48:22 +0000
+
 dino-im (0.2.0-3) unstable; urgency=critical
 
   * Fix file traversal issue on incoming file transfers (CVE-2021-33896)
diff -Nru dino-im-0.2.0/debian/patches/cve-2023-28686.patch dino-im-0.2.0/debian/patches/cve-2023-28686.patch
--- dino-im-0.2.0/debian/patches/cve-2023-28686.patch	1970-01-01 00:00:00.000000000 +0000
+++ dino-im-0.2.0/debian/patches/cve-2023-28686.patch	2023-03-24 00:48:22.000000000 +0000
@@ -0,0 +1,37 @@
+From ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec Mon Sep 17 00:00:00 2001
+From: Marvin W <git@larma.de>
+Date: Thu, 23 Mar 2023 10:13:30 -0600
+Subject: [PATCH] Check sender of bookmark:1 updates
+
+---
+ xmpp-vala/src/module/xep/0402_bookmarks2.vala | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xmpp-vala/src/module/xep/0402_bookmarks2.vala b/xmpp-vala/src/module/xep/0402_bookmarks2.vala
+index 406f37f43..d1e53e6e3 100644
+--- a/xmpp-vala/src/module/xep/0402_bookmarks2.vala
++++ b/xmpp-vala/src/module/xep/0402_bookmarks2.vala
+@@ -68,6 +68,11 @@ public class Module : BookmarksProvider, XmppStreamModule {
+     }
+ 
+     private void on_pupsub_item(XmppStream stream, Jid jid, string id, StanzaNode? node) {
++        if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
++            warning("Received alleged bookmarks:1 item from %s, ignoring", jid.to_string());
++            return;
++        }
++
+         Conference conference = parse_item_node(node, id);
+         Flag? flag = stream.get_flag(Flag.IDENTITY);
+         if (flag != null) {
+@@ -77,6 +82,11 @@ public class Module : BookmarksProvider, XmppStreamModule {
+     }
+ 
+     private void on_pupsub_retract(XmppStream stream, Jid jid, string id) {
++        if (!jid.equals(stream.get_flag(Bind.Flag.IDENTITY).my_jid.bare_jid)) {
++            warning("Received alleged bookmarks:1 retract from %s, ignoring", jid.to_string());
++            return;
++        }
++
+         try {
+             Jid jid_parsed = new Jid(id);
+             Flag? flag = stream.get_flag(Flag.IDENTITY);
diff -Nru dino-im-0.2.0/debian/patches/series dino-im-0.2.0/debian/patches/series
--- dino-im-0.2.0/debian/patches/series	2021-06-07 17:35:09.000000000 +0000
+++ dino-im-0.2.0/debian/patches/series	2023-03-24 00:48:22.000000000 +0000
@@ -3,3 +3,4 @@
 adjust-real-for-latest-vala.patch
 rename-to-dino-im.patch
 fix_library_path.patch
+cve-2023-28686.patch