From the Secunia Advisory at $URL: "A vulnerability has been reported in GNOME Empathy, which can be exploited by malicious users to conduct script insertion attacks. Input passed via the nickname is not properly sanitised within the Adium theme before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's IM session in context of the user's chat room when malicious data is displayed. The vulnerability is reported in version 3.2.1. Other versions may also be affected." The upstream bug also lists that the default theme in 2.x versions are vulnerable: https://bugzilla.gnome.org/show_bug.cgi?id=662035
Created attachment 290491 [details, diff] patch for empathy-2.32 and 2.34 Upstream patch has been applied in gnome overlay in empathy-3.2.1-r1; however, I am not sure if the upstream fix is sufficiently complete (see https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13). All versions of empathy in portage are currently vulnerable. Empathy-3.0.2 will not be fixed; it is masked, and will be punted within the next week or two and replaced with 3.2.x Pacho, please test that the attached backported patch works for for empathy-2.32.2 and empathy-2.34.0. It should be correct, but I don't have a gnome-2 machine to test on.
+*empathy-2.34.0-r2 (24 Oct 2011) + + 24 Oct 2011; Pacho Ramos <pacho@gentoo.org> +empathy-2.34.0-r2.ebuild, + +files/empathy-2.34.0-CVE-2011-3635.patch, + +files/empathy-2.34.0-missing-include.patch: + Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported + patch by Tetromino); fix compilation error due missing header, bug #388203 by + My Th. Readd dropped keywords after masking offending map USE flag for them, + that arches shouldn't stick with old 2.32.x versions. +
(In reply to comment #2) > +*empathy-2.34.0-r2 (24 Oct 2011) > + Great, thank you. Arches, please test and mark stable: =net-im/empathy-2.34.0-r2 Target keywords : "alpha amd64 ppc x86"
@tetromino: Does =net-im/empathy-2.34.0-r2 also include the fix for CVE-2011-4170 (the /me-type events you noted in the upstream bug - https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13)?
@gnome, a lot of unrecognized configure options like: configure: WARNING: unrecognized options: --disable-schemas-compile, --disable-call, --disable-location, --disable-control-center-embedding, --disable-debug, --without-eds, --disable-map, --disable-nautilus-sendto, --without-connectivity, --disable-spell, --disable-webkit are known?
(In reply to comment #4) > @tetromino: Does =net-im/empathy-2.34.0-r2 also include the fix for > CVE-2011-4170 (the /me-type events you noted in the upstream bug - > https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13)? Yes. Like the patch comment says, "escape alias on /me-type events too".
(In reply to comment #6) > Yes. Like the patch comment says, "escape alias on /me-type events too". Well amd64 ok.
(In reply to comment #5) > @gnome, a lot of unrecognized configure options like: > > configure: WARNING: unrecognized options: --disable-schemas-compile, > --disable-call, --disable-location, --disable-control-center-embedding, > --disable-debug, --without-eds, --disable-map, --disable-nautilus-sendto, > --without-connectivity, --disable-spell, --disable-webkit > > are known? Yes, if I don't misremember, they are related to a configure run for telepathy-yell or something similar inside empathy
amd64: pass
CVE-2011-4170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4170): Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname) in a /me event, a different vulnerability than CVE-2011-3635. CVE-2011-3635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3635): Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname).
Note about the scope of the vulnerability: Only users who have empathy installed with USE=webkit and who have manually downloaded and enabled an Adium theme in ~/.local/share/adium/message-styles/ are vulnerable. The default vanilla settings are not going to be vulnerable. To disable the selected Adium theme in empathy-2.34 or empathy-3.x, a user could do gsettings set org.gnome.Empathy.conversation adium-path ''
amd64 done. Thanks Agostino
x86 stable
ppc done
alpha, I accidentally dropped old telepathy-logger versions and, then, your stable empathy version is no longer installable. Sorry :( I though on readding old telepathy-logger version but, as your current stable version is affected by this security bug, I thought would be better (and easier) to simply stabilize fixed empathy version. Could you give a higher priority to this? Thanks a lot
Stable on alpha.
@security: please vote
Thanks, folks. GLSA vote: no.
NO, too. Both CVE's are actually a form of XSS - closing noglsa. Thanks, everyone.
