diff -up pidgin-2.10.7/libpurple/protocols/jabber/iq.c.CVE-2013-6483-regression pidgin-2.10.7/libpurple/protocols/jabber/iq.c

--- pidgin-2.10.7/libpurple/protocols/jabber/iq.c.CVE-2013-6483-regression	2014-02-03 09:49:18.556521925 -0500

+++ pidgin-2.10.7/libpurple/protocols/jabber/iq.c	2014-02-03 09:49:29.904554588 -0500

@@ -283,6 +283,52 @@ void jabber_iq_remove_callback_by_id(Jab

 	g_hash_table_remove(js->iq_callbacks, id);

 }

+/**

+ * Verify that the 'from' attribute of an IQ reply is a valid match for

+ * a given IQ request. The expected behavior is outlined in section

+ * 8.1.2.1 of the XMPP CORE spec (RFC 6120). We consider the reply to

+ * be a valid match if any of the following is true:

+ * - Request 'to' matches reply 'from' (including the case where

+ *   neither are set).

+ * - Request 'to' was empty and reply 'from' is server JID.

+ * - Request 'to' was empty and reply 'from' is my JID. The spec says

+ *   we should only allow bare JID, but we also allow full JID for

+ *   compatibility with some servers.

+ *

+ * These rules should allow valid IQ replies while preventing spoofed

+ * ones.

+ *

+ * For more discussion see the "Spoofing of iq ids and misbehaving

+ * servers" email thread from January 2014 on the jdev and security

+ * mailing lists.

+ *

+ * @return TRUE if this reply is valid for the given request.

+ */

+static gboolean does_reply_from_match_request_to(JabberStream *js, JabberID *to, JabberID *from)

+{

+	if (jabber_id_equal(to, from)) {

+		/* Request 'to' matches reply 'from' */

+		return TRUE;

+	}

+

+	if (!to && purple_strequal(from->domain, js->user->domain)) {

+		/* Request 'to' is empty and reply 'from' domain matches our domain */

+

+		if (!from->node && !from->resource) {

+			/* Reply 'from' is server bare JID */

+			return TRUE;

+		}

+

+		if (purple_strequal(from->node, js->user->node)

+				&& (!from->resource || purple_strequal(from->resource, js->user->resource))) {

+			/* Reply 'from' is my full or bare JID */

+			return TRUE;

+		}

+	}

+

+	return FALSE;

+}

+

 void jabber_iq_parse(JabberStream *js, xmlnode *packet)

 {

 	JabberIqCallbackData *jcd;

@@ -377,8 +423,9 @@ void jabber_iq_parse(JabberStream *js, x

 	/* First, lets see if a special callback got registered */

 	if(type == JABBER_IQ_RESULT || type == JABBER_IQ_ERROR) {

-		if((jcd = g_hash_table_lookup(js->iq_callbacks, id))) {

-			if(jabber_id_equal(js, jcd->to, from_id)) {

+		jcd = g_hash_table_lookup(js->iq_callbacks, id);

+		if (jcd) {

+			if (does_reply_from_match_request_to(js, jcd->to, from_id)) {

 				jcd->callback(js, from, type, id, packet, jcd->data);

 				jabber_iq_remove_callback_by_id(js, id);

 				jabber_id_free(from_id);

diff -up pidgin-2.10.7/libpurple/protocols/jabber/jutil.c.CVE-2013-6483-regression pidgin-2.10.7/libpurple/protocols/jabber/jutil.c

--- pidgin-2.10.7/libpurple/protocols/jabber/jutil.c.CVE-2013-6483-regression	2014-02-03 09:49:18.558521926 -0500

+++ pidgin-2.10.7/libpurple/protocols/jabber/jutil.c	2014-02-03 09:49:29.904554588 -0500

@@ -510,30 +510,21 @@ jabber_id_free(JabberID *jid)

 gboolean

-jabber_id_equal(JabberStream *js, const JabberID *jid1, const JabberID *jid2)

+jabber_id_equal(const JabberID *jid1, const JabberID *jid2)

 {

-	const JabberID *j1, *j2;

-	JabberID *bare_user_jid;

-	gboolean equal;

-

-	/* If an outgoing stanza has no 'to', or an incoming has no 'from',

-	 * then those are "the server acting as my account". This function will

-	 * handle that correctly.

-	 */

-	if (!jid1 && !jid2)

+	if (!jid1 && !jid2) {

+		/* Both are null therefore equal */

 		return TRUE;

+	}

-	bare_user_jid = jabber_id_to_bare_jid(js->user);

-	j1 = jid1 ? jid1 : bare_user_jid;

-	j2 = jid2 ? jid2 : bare_user_jid;

-

-	equal = purple_strequal(j1->node, j2->node) &&

-			purple_strequal(j1->domain, j2->domain) &&

-			purple_strequal(j1->resource, j2->resource);

-

-	jabber_id_free(bare_user_jid);

-

-	return equal;

+	if (!jid1 || !jid2) {

+		/* One is null, other is non-null, therefore not equal */

+		return FALSE;

+	}

+

+	return purple_strequal(jid1->node, jid2->node) &&

+			purple_strequal(jid1->domain, jid2->domain) &&

+			purple_strequal(jid1->resource, jid2->resource);

 }

 char *jabber_get_domain(const char *in)

diff -up pidgin-2.10.7/libpurple/protocols/jabber/jutil.h.CVE-2013-6483-regression pidgin-2.10.7/libpurple/protocols/jabber/jutil.h

--- pidgin-2.10.7/libpurple/protocols/jabber/jutil.h.CVE-2013-6483-regression	2014-02-03 09:49:18.559521925 -0500

+++ pidgin-2.10.7/libpurple/protocols/jabber/jutil.h	2014-02-03 09:49:29.904554588 -0500

@@ -46,12 +46,10 @@ typedef enum {

 JabberID* jabber_id_new(const char *str);

 /**

- * Compare two JIDs for equality.

- *

- * Warning: If either JID is NULL then this function uses the user's

- * bare JID, instead!

+ * Compare two JIDs for equality. In addition to the node and domain,

+ * the resources of the two JIDs must also be equal (or both absent).

  */

-gboolean jabber_id_equal(JabberStream *js, const JabberID *jid1, const JabberID *jid2);

+gboolean jabber_id_equal(const JabberID *jid1, const JabberID *jid2);

 void jabber_id_free(JabberID *jid);