655584 – (CVE-2018-10994) <net-im/signal-desktop-bin-1.10.1: RCE via XSS

Bug 655584 (CVE-2018-10994) - <net-im/signal-desktop-bin-1.10.1: RCE via XSS

Summary: <net-im/signal-desktop-bin-1.10.1: RCE via XSS

Status:	RESOLVED FIXED

Alias:	CVE-2018-10994

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~1 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-05-12 17:10 UTC by Hanno Böck
Modified:	2018-06-24 22:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2018-05-12 17:10:35 UTC

There's no detailed info on this vuln yet, but it seems a remote code execution bug was found in signal:
https://twitter.com/ortegaalfredo/status/995017143002509313

As electron allows running javascript code with user privileges this means a javascript injection / XSS can directly lead to RCE.

There's no official advisory or writeup yet, but the changelog for 1.10.1 says:
"Fixes a bug recently published by Alfredo Ortega"

I.e. that release fixes the bug. Please bump.

Comment 1 Robert G. Siebeck 2018-05-12 23:46:26 UTC

Version 1.10.1 is in tree now, see also #655560

Comment 2 Hanno Böck gentoo-dev

2018-05-15 07:09:51 UTC

Details:
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/advisory/

Comment 3 Amy Liffey gentoo-dev

2018-06-24 10:39:28 UTC

Only version in tree is 1.13.0 now which does not seem vulnerable. Can you confirm?

Thanks

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2018-06-24 22:16:24 UTC

Tree is clean, thanks Amy!