temp/dino: add fix for CVE-2021-33896 (MR 2236)

Related: https://dino.im/security/cve-2021-33896/

temp/dino/0001-QLite-Adjust-Real-for-latest-vala-version.patch

@@ -1,4 +1,4 @@
-From 9acb54df9254609f2fe4de83c9047d408412de28 Mon Sep 17 00:00:00 2001
+From 3bd65e646b71321f02fa5492ce0939b8469bd262 Mon Sep 17 00:00:00 2001
 From: Marvin W <git@larma.de>
 Date: Sat, 6 Mar 2021 08:31:53 -0600
 Subject: [PATCH] QLite: Adjust Real for latest vala version
@@ -8,7 +8,7 @@ Subject: [PATCH] QLite: Adjust Real for latest vala version
  1 file changed, 6 insertions(+), 4 deletions(-)
 
 diff --git a/qlite/src/column.vala b/qlite/src/column.vala
-index 60125ddf..45385f38 100644
+index 60125dd..45385f3 100644
 --- a/qlite/src/column.vala
 +++ b/qlite/src/column.vala
 @@ -96,12 +96,14 @@ public abstract class Column<T> {
@@ -38,3 +38,6 @@ index 60125ddf..45385f38 100644
              stmt.bind_double(index, value);
          }
      }
+-- 
+2.31.1
+

temp/dino/0002-Fix-file-traversal-issue-on-incoming-file-transfers.patch

@@ -0,0 +1,37 @@
+From bda2e4ead15ec9f8d043597f59ad6cdf1e8a5fe7 Mon Sep 17 00:00:00 2001
+From: fiaxh <git@lightrise.org>
+Date: Mon, 7 Jun 2021 09:56:25 -0600
+Subject: [PATCH] Fix file traversal issue on incoming file transfers
+
+Fixes CVE-2021-33896
+---
+ libdino/src/entity/file_transfer.vala | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/libdino/src/entity/file_transfer.vala b/libdino/src/entity/file_transfer.vala
+index a8e386b..1823478 100644
+--- a/libdino/src/entity/file_transfer.vala
++++ b/libdino/src/entity/file_transfer.vala
+@@ -45,7 +45,18 @@ public class FileTransfer : Object {
+         }
+     }
+ 
+-    public string file_name { get; set; }
++    private string file_name_;
++    public string file_name {
++        get { return file_name_; }
++        set {
++            file_name_ = Path.get_basename(value);
++            if (file_name_ == Path.DIR_SEPARATOR_S || file_name_ == ".") {
++                file_name_ = "unknown filename";
++            } else if (file_name_.has_prefix(".")) {
++                file_name_ = "_" + file_name_;
++            }
++        }
++    }
+     private string? server_file_name_ = null;
+     public string server_file_name {
+         get { return server_file_name_ ?? file_name; }
+-- 
+2.31.1
+

temp/dino/APKBUILD

@@ -1,7 +1,7 @@
 # Forked from Alpine Linux
 pkgname=dino
 pkgver=9999_git20210115
-pkgrel=1
+pkgrel=2
 # feature/handy branch
 _commit="eb146f811904405a17251fbb66920eaf0506a6a3"
 pkgdesc="Modern Jabber/XMPP client"
@@ -27,7 +27,8 @@ subpackages="$pkgname-lang"
 source="
 	https://github.com/dino/dino/archive/$_commit.tar.gz
 	bump-signal-version.patch
-	9acb54df9254609f2fe4de83c9047d408412de28.patch
+	0001-QLite-Adjust-Real-for-latest-vala-version.patch
+	0002-Fix-file-traversal-issue-on-incoming-file-transfers.patch
 	"
 builddir="$srcdir/$pkgname-$_commit"
 build() {
@@ -50,6 +51,9 @@ check() {
 package() {
 	make DESTDIR="$pkgdir" install
 }
-sha512sums="a05c15199aae159ef03e05c4c2b97f81744f92cfaed718e2ea99043da76e68a557528e89abacf30519ae9a50e559fc0ed9f6794c5b0104b233a348695de82eea  eb146f811904405a17251fbb66920eaf0506a6a3.tar.gz
+sha512sums="
+a05c15199aae159ef03e05c4c2b97f81744f92cfaed718e2ea99043da76e68a557528e89abacf30519ae9a50e559fc0ed9f6794c5b0104b233a348695de82eea  eb146f811904405a17251fbb66920eaf0506a6a3.tar.gz
 838ccba8d97db8bc43de26afd259e4bdaf3afea786bf40a7ed9ae63f4fb7c2190e8bf6de7b41880602113df87831d01467547f8bfd1f88b50d35287822cb5f4c  bump-signal-version.patch
-01d771c039e9c15882ef11970fbc181efe12202f1f1fd9ff3bd6e805f1e85a662d7662da7fbbfb05d6aa569b9f4fed907cf7357d83d02fb1bafa2bb179811f63  9acb54df9254609f2fe4de83c9047d408412de28.patch"
+c2f0e5bfc8e33adefdef5efd93e86287c16600e1651b91cc43b25168d8341f72eeee55bef204f9234d018464e1003d7ae41247229688d596c355330e296e84e9  0001-QLite-Adjust-Real-for-latest-vala-version.patch
+a2db353f817bad446eba263af820b74707730d1583bcb420908c45a32219e897ebff3fdd61d91dc678a250b863e7181b2525c93ca13d02fe0635ba27047d349e  0002-Fix-file-traversal-issue-on-incoming-file-transfers.patch
+"