Bug 655584 (CVE-2018-10994)

Summary:	<net-im/signal-desktop-bin-1.10.1: RCE via XSS
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gentoo.2019, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~1 [noglsa cve]
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2018-05-12 17:10:35 UTC

There's no detailed info on this vuln yet, but it seems a remote code execution bug was found in signal:
https://twitter.com/ortegaalfredo/status/995017143002509313

As electron allows running javascript code with user privileges this means a javascript injection / XSS can directly lead to RCE.

There's no official advisory or writeup yet, but the changelog for 1.10.1 says:
"Fixes a bug recently published by Alfredo Ortega"

I.e. that release fixes the bug. Please bump.

Comment 1 Robert G. Siebeck 2018-05-12 23:46:26 UTC

Version 1.10.1 is in tree now, see also #655560

Comment 2 Hanno Böck gentoo-dev

2018-05-15 07:09:51 UTC

Details:
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/advisory/

Comment 3 Amy Liffey gentoo-dev

2018-06-24 10:39:28 UTC

Only version in tree is 1.13.0 now which does not seem vulnerable. Can you confirm?

Thanks

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2018-06-24 22:16:24 UTC

Tree is clean, thanks Amy!