Bug 727003 - VUL-0: empathy html injection
VUL-0: empathy html injection
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:43929 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-28 07:32 UTC by Ludwig Nussel
Modified: 2011-11-20 17:59 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-10-28 07:32:58 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
The issue is public.

CVE-2011-3635

Empathy from version 2.25.3 to 3.2.1.1 is vulnerable to a HTML injection
bug in its chat window. Only version built with WebKit support (which
was optional before version 3.1.5.1) are affected. Also this doesn't
affect the default chat window, the vulnerability happens only when the
user has configured it to use an Adium theme (none are provided by
default).

Fix:
http://git.gnome.org/browse/empathy/commit/?id=739aca418457de752be13721218aaebc74bd9d36
Details: https://bugzilla.gnome.org/show_bug.cgi?id=662035
Comment 1 Dominique Leuenberger 2011-10-28 08:30:57 UTC
In this case, for us affected are:
openSUSE 11.3 / openSUSE 11.4 / openSUSE 12.1 / Factory
Comment 2 Dominique Leuenberger 2011-10-28 08:54:05 UTC
SR#89631 for empathy update to 3.2.1.1 in G:F (devel of oS:F / 12.1 at this time)
Comment 3 Swamp Workflow Management 2011-10-28 08:59:18 UTC
The SWAMPID for this issue is 43914.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Dominique Leuenberger 2011-10-28 09:49:02 UTC
Submitting package  empathy.openSUSE_11.3
Submitting package  empathy.openSUSE_11.4
Submitting patchinfo  _patchinfo:empathy  to  openSUSE:11.3:Update:Test, openSUSE:11.4:Update:Test

Everything fine? Can we create the requests ? (y/n) y
Requests created:  89649 89650 89651
Successfully finished
Comment 6 Ludwig Nussel 2011-10-28 09:56:42 UTC
Thanks Dominique!
Comment 7 Bernhard Wiedemann 2011-10-28 10:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (727003) was mentioned in
https://build.opensuse.org/request/show/89651 11.4 / _patchinfo:empathy
Comment 8 Scott Reeves 2011-11-01 04:54:23 UTC
The git commit mentioned in the description and therefore the submissions in comment #4 based on that commit are missing an additional usage of the "name" parameter that should be escaped as well (see bgo#662035 comment #14). I updated the patch in the previous submissions and added a submission for sle11-sp1

sle11-sp1 - #16012

11.3  - #89851
11.4  - #89852
Comment 10 Swamp Workflow Management 2011-11-18 10:29:50 UTC
Update released for: empathy, empathy-debuginfo, empathy-debugsource, empathy-lang, nautilus-sendto-plugin-empathy, nautilus-sendto-plugin-empathy-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 11 Swamp Workflow Management 2011-11-18 13:04:39 UTC
Update released for: empathy, empathy-debuginfo, empathy-debugsource, empathy-devel, empathy-lang, gnome-applets-empathy, python-empathy
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, x86_64)
Comment 12 Matthias Weckbecker 2011-11-18 14:03:40 UTC
Updates released?