Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 655584 (CVE-2018-10994) - <net-im/signal-desktop-bin-1.10.1: RCE via XSS
Summary: <net-im/signal-desktop-bin-1.10.1: RCE via XSS
Status: RESOLVED FIXED
Alias: CVE-2018-10994
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-12 17:10 UTC by Hanno Böck
Modified: 2018-06-24 22:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-05-12 17:10:35 UTC
There's no detailed info on this vuln yet, but it seems a remote code execution bug was found in signal:
https://twitter.com/ortegaalfredo/status/995017143002509313

As electron allows running javascript code with user privileges this means a javascript injection / XSS can directly lead to RCE.

There's no official advisory or writeup yet, but the changelog for 1.10.1 says:
"Fixes a bug recently published by Alfredo Ortega"

I.e. that release fixes the bug. Please bump.
Comment 1 Robert G. Siebeck 2018-05-12 23:46:26 UTC
Version 1.10.1 is in tree now, see also #655560
Comment 3 Amy Liffey gentoo-dev 2018-06-24 10:39:28 UTC
Only version in tree is 1.13.0 now which does not seem vulnerable. Can you confirm?

Thanks
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-06-24 22:16:24 UTC
Tree is clean, thanks Amy!