In a number of places, Gabble does not perform adequate checking on the sender of a stanza before processing it:

• In conn-mail-notif.c, a contact can cause Gabble to poll the server for new mail. This is harmless: contacts can waste your bandwidth in other ways.
• In conn-presence.c, a contact can fake a Google Shared Status update, causing our local perception of our status (but not our *actual* status) to be incorrect. This is annoying, but is not crucially important, and this code is not present on any stable branch.
• Also in conn-presence.c, a contact can cause Gabble to poll the server for the contents of the privacy list named "invisible"; it cannot cause Gabble to change its status or to modify the privacy list or our current visibility, so this is simply a(nother) way to waste bandwidth.
• In jingle-factory.c, a malicious contact can trick Gabble into relaying media through a server of their choosing. This allows any contact to intercept your audio and video calls (as opposed to only attacker who can passively intercept your network traffic, which is the normal state of affairs for unencrypted calls).

Created attachment 43124 [details] [review]
Fix for the jingleinfo issue, applicable to 0.10 and 0.11

Created attachment 43125 [details] [review]
Fix for the jingleinfo issue, applicable to 0.8

Both patches look good to me

Created attachment 43369 [details] [review]
Fix, applicable to 0.7.6 (and other early 0.7.x revisions)

As committed to master, and released in 0.11.7: <http://git.collabora.co.uk/?p=telepathy-gabble.git;a=commitdiff;h=158c988>
As committed to 0.10, and released in 0.10.5: <http://git.collabora.co.uk/?p=telepathy-gabble.git;a=commitdiff;h=5b9ee62>
As committed to 0.8, and released in 0.8.15: <http://git.collabora.co.uk/?p=telepathy-gabble.git;a=commitdiff;h=ed73e1f>

Fixed in telepathy-gabble 0.8.15, 0.10.5 and 0.11.7.