Version in base suite: 62-1

Base version: gnome-shell-extension-gsconnect_62-1
Target version: gnome-shell-extension-gsconnect_62-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gnome-shell-extension-gsconnect/gnome-shell-extension-gsconnect_62-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gnome-shell-extension-gsconnect/gnome-shell-extension-gsconnect_62-1+deb13u1.dsc

 changelog                                                                          |    6 +
 patches/check-that-protocol-version-and-deviceid-match-on-encrypted-identity.patch |   54 ++++++++++
 patches/series                                                                     |    1 
 3 files changed, 61 insertions(+)

gpgv: Signature made Sat Nov 22 18:31:57 2025 UTC
gpgv:                using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpt9l_kwam/gnome-shell-extension-gsconnect_62-1+deb13u1.dsc: no acceptable signature found
diff -Nru gnome-shell-extension-gsconnect-62/debian/changelog gnome-shell-extension-gsconnect-62/debian/changelog
--- gnome-shell-extension-gsconnect-62/debian/changelog	2025-04-10 19:22:45.000000000 +0000
+++ gnome-shell-extension-gsconnect-62/debian/changelog	2025-11-22 18:27:16.000000000 +0000
@@ -1,3 +1,9 @@
+gnome-shell-extension-gsconnect (62-1+deb13u1) trixie-security; urgency=medium
+
+  * Cherrypick 3223595bb648ad09afd150ec56dadfe1f33bd641
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sat, 22 Nov 2025 19:27:16 +0100
+
 gnome-shell-extension-gsconnect (62-1) unstable; urgency=medium
 
   * New upstream release (Closes: #1101981)
diff -Nru gnome-shell-extension-gsconnect-62/debian/patches/check-that-protocol-version-and-deviceid-match-on-encrypted-identity.patch gnome-shell-extension-gsconnect-62/debian/patches/check-that-protocol-version-and-deviceid-match-on-encrypted-identity.patch
--- gnome-shell-extension-gsconnect-62/debian/patches/check-that-protocol-version-and-deviceid-match-on-encrypted-identity.patch	1970-01-01 00:00:00.000000000 +0000
+++ gnome-shell-extension-gsconnect-62/debian/patches/check-that-protocol-version-and-deviceid-match-on-encrypted-identity.patch	2025-11-22 18:27:10.000000000 +0000
@@ -0,0 +1,54 @@
+From 3223595bb648ad09afd150ec56dadfe1f33bd641 Mon Sep 17 00:00:00 2001
+From: Daniel Landau <daniel@landau.fi>
+Date: Sun, 16 Nov 2025 11:13:55 +0200
+Subject: [PATCH] Check that protocol version and deviceId match on encrypted
+ identity
+
+--- gnome-shell-extension-gsconnect-62.orig/src/service/backends/lan.js
++++ gnome-shell-extension-gsconnect-62/src/service/backends/lan.js
+@@ -704,6 +704,25 @@ export const Channel = GObject.registerC
+         return this._authenticate(connection);
+     }
+ 
++    async _exchangeIdentities() {
++        await this.sendPacket(this.backend.identity);
++        const identity = await this.readPacket();
++
++        if (this.identity.body.protocolVersion !== identity.body.protocolVersion) {
++            this.identity = null;
++            throw new Error(`Unexpected protocol version ${identity.protocolVersion}; ` +
++                            `handshake started with protocol version ${this.identity.protocolVersion}`);
++        }
++
++        if (this.identity.body.deviceId !== identity.body.deviceId) {
++            this.identity = null;
++            throw new Error(`Unexpected device ID "${identity.body.deviceId}"; ` +
++                            `handshake started with device ID "${this.identity.body.deviceId}"`);
++        }
++
++        this.identity = identity;
++    }
++
+     /**
+      * Negotiate an incoming connection
+      *
+@@ -749,8 +768,7 @@ export const Channel = GObject.registerC
+             // Starting with protocol version 8, the devices are expected to
+             // exchange identity packets again after TLS negotiation
+             if (this.identity.body.protocolVersion >= 8) {
+-                await this.sendPacket(this.backend.identity);
+-                this.identity = await this.readPacket();
++                await this._exchangeIdentities();
+             }
+         } catch (e) {
+             this.close();
+@@ -780,8 +798,7 @@ export const Channel = GObject.registerC
+             // Starting with protocol version 8, the devices are expected to
+             // exchange identity packets again after TLS negotiation
+             if (this.identity.body.protocolVersion >= 8) {
+-                await this.sendPacket(this.backend.identity);
+-                this.identity = await this.readPacket();
++                await this._exchangeIdentities();
+             }
+         } catch (e) {
+             this.close();
diff -Nru gnome-shell-extension-gsconnect-62/debian/patches/series gnome-shell-extension-gsconnect-62/debian/patches/series
--- gnome-shell-extension-gsconnect-62/debian/patches/series	2025-04-10 19:22:45.000000000 +0000
+++ gnome-shell-extension-gsconnect-62/debian/patches/series	2025-11-22 18:26:58.000000000 +0000
@@ -0,0 +1 @@
+check-that-protocol-version-and-deviceid-match-on-encrypted-identity.patch