Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported patch by Tetromino); fix compilation error due missing header, bug #388203 by My Th. Readd dropped keywords after masking offending map USE flag for them, that arches shouldn't stick with old 2.32.x versions.

(Portage version: 2.1.10.31/cvs/Linux x86_64)

2 files changed, 80 insertions, 0 deletions

diff --git a/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch b/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch
new file mode 100644
index 000000000000..6040778e73d5
--- /dev/null
+++ b/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch
@@ -0,0 +1,70 @@
+From 192ce4dacc108f1b62e8ef752eeb5a2bee3d337f Mon Sep 17 00:00:00 2001
+From: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk>
+Date: Tue, 18 Oct 2011 18:32:52 +0200
+Subject: [PATCH] theme_adium_append_message: escape alias before displaying
+ it
+
+Not doing so can lead to nasty HTML injection from hostile users.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=662035
+
+[Alexandre Rostovtsev <tetromino@gentoo.org>: backport to 2.32, and for
+ good measure, escape alias on /me-type events too]
+---
+ libempathy-gtk/empathy-theme-adium.c |    9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
+index 8c6301e..08f79b4 100644
+--- a/libempathy-gtk/empathy-theme-adium.c
++++ b/libempathy-gtk/empathy-theme-adium.c
+@@ -436,7 +436,7 @@ theme_adium_append_message (EmpathyChatView *view,
+ 	EmpathyThemeAdiumPriv *priv = GET_PRIV (theme);
+ 	EmpathyContact        *sender;
+ 	TpAccount             *account;
+-	gchar                 *body_escaped;
++	gchar                 *body_escaped, *name_escaped;
+ 	const gchar           *body;
+ 	const gchar           *name;
+ 	const gchar           *contact_id;
+@@ -468,17 +468,19 @@ theme_adium_append_message (EmpathyChatView *view,
+ 	body = empathy_message_get_body (msg);
+ 	body_escaped = theme_adium_parse_body (body);
+ 	name = empathy_contact_get_alias (sender);
++	name_escaped = g_markup_escape_text (name, -1);
+ 	contact_id = empathy_contact_get_id (sender);
+ 
+ 	/* If this is a /me, append an event */
+ 	if (empathy_message_get_tptype (msg) == TP_CHANNEL_TEXT_MESSAGE_TYPE_ACTION) {
+ 		gchar *str;
+ 
+-		str = g_strdup_printf ("%s %s", name, body_escaped);
++		str = g_strdup_printf ("%s %s", name_escaped, body_escaped);
+ 		theme_adium_append_event_escaped (view, str);
+ 
+ 		g_free (str);
+ 		g_free (body_escaped);
++		g_free (name_escaped);
+ 		return;
+ 	}
+ 
+@@ -600,7 +602,7 @@ theme_adium_append_message (EmpathyChatView *view,
+ 
+ 	if (html != NULL) {
+ 		theme_adium_append_html (theme, func, html, len, body_escaped,
+-					 avatar_filename, name, contact_id,
++					 avatar_filename, name_escaped, contact_id,
+ 					 service_name, message_classes->str,
+ 					 timestamp, is_backlog);
+ 	} else {
+@@ -616,6 +618,7 @@ theme_adium_append_message (EmpathyChatView *view,
+ 	priv->last_is_backlog = is_backlog;
+ 
+ 	g_free (body_escaped);
++	g_free (name_escaped);
+ 	g_string_free (message_classes, TRUE);
+ }
+ 
+-- 
+1.7.7
+
diff --git a/net-im/empathy/files/empathy-2.34.0-missing-include.patch b/net-im/empathy/files/empathy-2.34.0-missing-include.patch
new file mode 100644
index 000000000000..e8d3a8d3c8ec
--- /dev/null
+++ b/net-im/empathy/files/empathy-2.34.0-missing-include.patch
@@ -0,0 +1,10 @@
+--- libempathy/empathy-auth-factory.c	2011-10-22 00:53:39.480665258 +0300
++++ libempathy/empathy-auth-factory.c	2011-10-22 00:55:22.726535188 +0300
+@@ -20,6 +20,7 @@
+ 
+ #include "empathy-auth-factory.h"
+ 
++#include <telepathy-glib/channel-dispatch-operation.h>
+ #include <telepathy-glib/interfaces.h>
+ #include <telepathy-glib/simple-handler.h>
+ #include <telepathy-glib/util.h>