Summary: | <net-im/empathy-2.34.0-r2: HTML/web script injection vulnerabilities (CVE-2011-{3635,4170}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | gnome, net-im | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://secunia.com/advisories/46510/ | ||||||
Whiteboard: | B4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sean Amoss (RETIRED)
2011-10-21 21:44:53 UTC
Created attachment 290491 [details, diff] patch for empathy-2.32 and 2.34 Upstream patch has been applied in gnome overlay in empathy-3.2.1-r1; however, I am not sure if the upstream fix is sufficiently complete (see https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13). All versions of empathy in portage are currently vulnerable. Empathy-3.0.2 will not be fixed; it is masked, and will be punted within the next week or two and replaced with 3.2.x Pacho, please test that the attached backported patch works for for empathy-2.32.2 and empathy-2.34.0. It should be correct, but I don't have a gnome-2 machine to test on. +*empathy-2.34.0-r2 (24 Oct 2011) + + 24 Oct 2011; Pacho Ramos <pacho@gentoo.org> +empathy-2.34.0-r2.ebuild, + +files/empathy-2.34.0-CVE-2011-3635.patch, + +files/empathy-2.34.0-missing-include.patch: + Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported + patch by Tetromino); fix compilation error due missing header, bug #388203 by + My Th. Readd dropped keywords after masking offending map USE flag for them, + that arches shouldn't stick with old 2.32.x versions. + (In reply to comment #2) > +*empathy-2.34.0-r2 (24 Oct 2011) > + Great, thank you. Arches, please test and mark stable: =net-im/empathy-2.34.0-r2 Target keywords : "alpha amd64 ppc x86" @tetromino: Does =net-im/empathy-2.34.0-r2 also include the fix for CVE-2011-4170 (the /me-type events you noted in the upstream bug - https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13)? @gnome, a lot of unrecognized configure options like: configure: WARNING: unrecognized options: --disable-schemas-compile, --disable-call, --disable-location, --disable-control-center-embedding, --disable-debug, --without-eds, --disable-map, --disable-nautilus-sendto, --without-connectivity, --disable-spell, --disable-webkit are known? (In reply to comment #4) > @tetromino: Does =net-im/empathy-2.34.0-r2 also include the fix for > CVE-2011-4170 (the /me-type events you noted in the upstream bug - > https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13)? Yes. Like the patch comment says, "escape alias on /me-type events too". (In reply to comment #6) > Yes. Like the patch comment says, "escape alias on /me-type events too". Well amd64 ok. (In reply to comment #5) > @gnome, a lot of unrecognized configure options like: > > configure: WARNING: unrecognized options: --disable-schemas-compile, > --disable-call, --disable-location, --disable-control-center-embedding, > --disable-debug, --without-eds, --disable-map, --disable-nautilus-sendto, > --without-connectivity, --disable-spell, --disable-webkit > > are known? Yes, if I don't misremember, they are related to a configure run for telepathy-yell or something similar inside empathy amd64: pass CVE-2011-4170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4170): Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname) in a /me event, a different vulnerability than CVE-2011-3635. CVE-2011-3635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3635): Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname). Note about the scope of the vulnerability: Only users who have empathy installed with USE=webkit and who have manually downloaded and enabled an Adium theme in ~/.local/share/adium/message-styles/ are vulnerable. The default vanilla settings are not going to be vulnerable. To disable the selected Adium theme in empathy-2.34 or empathy-3.x, a user could do gsettings set org.gnome.Empathy.conversation adium-path '' amd64 done. Thanks Agostino x86 stable ppc done alpha, I accidentally dropped old telepathy-logger versions and, then, your stable empathy version is no longer installable. Sorry :( I though on readding old telepathy-logger version but, as your current stable version is affected by this security bug, I thought would be better (and easier) to simply stabilize fixed empathy version. Could you give a higher priority to this? Thanks a lot Stable on alpha. @security: please vote Thanks, folks. GLSA vote: no. NO, too. Both CVE's are actually a form of XSS - closing noglsa. Thanks, everyone. |