summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPacho Ramos <pacho@gentoo.org>2011-10-24 18:33:23 +0000
committerPacho Ramos <pacho@gentoo.org>2011-10-24 18:33:23 +0000
commit76da3e257abd59514db720d073ec8e5c785aa01a (patch)
treeb2e2b080b885dae2946e041cc386c749f3d6edfc /net-im/empathy
parentSet the active Python to 2.x since this doesn't build with 3.x (diff)
downloadgentoo-2-76da3e257abd59514db720d073ec8e5c785aa01a.tar.gz
gentoo-2-76da3e257abd59514db720d073ec8e5c785aa01a.tar.bz2
gentoo-2-76da3e257abd59514db720d073ec8e5c785aa01a.zip
Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported patch by Tetromino); fix compilation error due missing header, bug #388203 by My Th. Readd dropped keywords after masking offending map USE flag for them, that arches shouldn't stick with old 2.32.x versions.
(Portage version: 2.1.10.31/cvs/Linux x86_64)
Diffstat (limited to 'net-im/empathy')
-rw-r--r--net-im/empathy/ChangeLog12
-rw-r--r--net-im/empathy/empathy-2.34.0-r2.ebuild120
-rw-r--r--net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch70
-rw-r--r--net-im/empathy/files/empathy-2.34.0-missing-include.patch10
4 files changed, 211 insertions, 1 deletions
diff --git a/net-im/empathy/ChangeLog b/net-im/empathy/ChangeLog
index 8d88749ecf55..3fc2a6d3c441 100644
--- a/net-im/empathy/ChangeLog
+++ b/net-im/empathy/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for net-im/empathy
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-im/empathy/ChangeLog,v 1.90 2011/08/18 06:22:13 nirbheek Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-im/empathy/ChangeLog,v 1.91 2011/10/24 18:33:23 pacho Exp $
+
+*empathy-2.34.0-r2 (24 Oct 2011)
+
+ 24 Oct 2011; Pacho Ramos <pacho@gentoo.org> +empathy-2.34.0-r2.ebuild,
+ +files/empathy-2.34.0-CVE-2011-3635.patch,
+ +files/empathy-2.34.0-missing-include.patch:
+ Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported
+ patch by Tetromino); fix compilation error due missing header, bug #388203 by
+ My Th. Readd dropped keywords after masking offending map USE flag for them,
+ that arches shouldn't stick with old 2.32.x versions.
*empathy-3.0.2 (18 Aug 2011)
diff --git a/net-im/empathy/empathy-2.34.0-r2.ebuild b/net-im/empathy/empathy-2.34.0-r2.ebuild
new file mode 100644
index 000000000000..c07078df238c
--- /dev/null
+++ b/net-im/empathy/empathy-2.34.0-r2.ebuild
@@ -0,0 +1,120 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-im/empathy/empathy-2.34.0-r2.ebuild,v 1.1 2011/10/24 18:33:23 pacho Exp $
+
+EAPI="4"
+GCONF_DEBUG="yes"
+GNOME2_LA_PUNT="yes"
+GNOME_TARBALL_SUFFIX="bz2"
+PYTHON_DEPEND="2:2.4"
+
+inherit eutils gnome2 multilib python
+
+DESCRIPTION="Telepathy client and library using GTK+"
+HOMEPAGE="http://live.gnome.org/Empathy"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~sparc ~x86 ~x86-linux"
+# FIXME: Add location support once geoclue stops being idiotic with automagic deps
+IUSE="eds map nautilus networkmanager spell test webkit"
+
+# FIXME: libnotify & libcanberra hard deps
+# gst-plugins-bad is required for the valve plugin. This should move to good
+# eventually at which point the dep can be dropped
+RDEPEND=">=dev-libs/glib-2.27.2:2
+ >=x11-libs/gtk+-2.22:2
+ >=dev-libs/dbus-glib-0.51
+ >=net-libs/telepathy-glib-0.14.1
+ >=media-libs/libcanberra-0.4[gtk]
+ >=x11-libs/libnotify-0.7
+ >=gnome-base/gnome-keyring-2.26
+ >=net-libs/gnutls-2.8.5
+ >=dev-libs/folks-0.4
+
+ >=dev-libs/libunique-1.1.6:1
+ net-libs/farsight2
+ >=media-libs/gstreamer-0.10.32:0.10
+ >=media-libs/gst-plugins-base-0.10.32:0.10
+ media-libs/gst-plugins-bad
+ media-plugins/gst-plugins-gconf
+ >=net-libs/telepathy-farsight-0.0.14
+ dev-libs/libxml2
+ x11-libs/libX11
+ net-voip/telepathy-connection-managers
+ >=net-im/telepathy-logger-0.2.0
+
+ eds? ( >=gnome-extra/evolution-data-server-1.2 )
+ map? (
+ >=media-libs/libchamplain-0.7.1:0.8[gtk]
+ >=media-libs/clutter-gtk-0.10:0.10 )
+ nautilus? ( >=gnome-extra/nautilus-sendto-2.31.7 )
+ networkmanager? ( >=net-misc/networkmanager-0.7 )
+ spell? (
+ >=app-text/enchant-1.2
+ >=app-text/iso-codes-0.35 )
+ webkit? ( >=net-libs/webkit-gtk-1.1.15:2 )
+"
+DEPEND="${RDEPEND}
+ app-text/scrollkeeper
+ >=app-text/gnome-doc-utils-0.17.3
+ >=dev-util/intltool-0.35.0
+ >=dev-util/pkgconfig-0.16
+ test? (
+ sys-apps/grep
+ >=dev-libs/check-0.9.4 )
+ dev-libs/libxslt
+"
+PDEPEND=">=net-im/telepathy-mission-control-5.7.6"
+
+pkg_setup() {
+ DOCS="CONTRIBUTORS AUTHORS ChangeLog NEWS README"
+
+ # call support needs unreleased telepathy-farstream
+ G2CONF="${G2CONF}
+ --enable-silent-rules
+ --disable-coding-style-checks
+ --disable-schemas-compile
+ --disable-static
+ --disable-call
+ --disable-location
+ --disable-control-center-embedding
+ --disable-Werror
+ $(use_enable debug)
+ $(use_with eds)
+ $(use_enable map)
+ $(use_enable nautilus nautilus-sendto)
+ $(use_with networkmanager connectivity nm)
+ $(use_enable spell)
+ $(use_enable webkit)"
+
+ # Build time python tools needs python2
+ python_set_active_version 2
+ python_pkg_setup
+}
+
+src_prepare() {
+ gnome2_src_prepare
+
+ epatch "${FILESDIR}"/${P}-auth-dialog-crash-fix.patch
+
+ # Fix script injection vulnerability (CVE-2011-3635), bug #388051
+ epatch "${FILESDIR}"/${P}-CVE-2011-3635.patch
+
+ # Fix compilation error due missing header, bug #388203
+ epatch "${FILESDIR}"/${P}-missing-include.patch
+
+ python_convert_shebangs -r 2 .
+}
+
+src_test() {
+ unset DBUS_SESSION_BUS_ADDRESS
+ emake check
+}
+
+pkg_postinst() {
+ gnome2_pkg_postinst
+ elog "Empathy needs telepathy's connection managers to use any IM protocol."
+ elog "See the USE flags on net-voip/telepathy-connection-managers"
+ elog "to install them."
+}
diff --git a/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch b/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch
new file mode 100644
index 000000000000..6040778e73d5
--- /dev/null
+++ b/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch
@@ -0,0 +1,70 @@
+From 192ce4dacc108f1b62e8ef752eeb5a2bee3d337f Mon Sep 17 00:00:00 2001
+From: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk>
+Date: Tue, 18 Oct 2011 18:32:52 +0200
+Subject: [PATCH] theme_adium_append_message: escape alias before displaying
+ it
+
+Not doing so can lead to nasty HTML injection from hostile users.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=662035
+
+[Alexandre Rostovtsev <tetromino@gentoo.org>: backport to 2.32, and for
+ good measure, escape alias on /me-type events too]
+---
+ libempathy-gtk/empathy-theme-adium.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c
+index 8c6301e..08f79b4 100644
+--- a/libempathy-gtk/empathy-theme-adium.c
++++ b/libempathy-gtk/empathy-theme-adium.c
+@@ -436,7 +436,7 @@ theme_adium_append_message (EmpathyChatView *view,
+ EmpathyThemeAdiumPriv *priv = GET_PRIV (theme);
+ EmpathyContact *sender;
+ TpAccount *account;
+- gchar *body_escaped;
++ gchar *body_escaped, *name_escaped;
+ const gchar *body;
+ const gchar *name;
+ const gchar *contact_id;
+@@ -468,17 +468,19 @@ theme_adium_append_message (EmpathyChatView *view,
+ body = empathy_message_get_body (msg);
+ body_escaped = theme_adium_parse_body (body);
+ name = empathy_contact_get_alias (sender);
++ name_escaped = g_markup_escape_text (name, -1);
+ contact_id = empathy_contact_get_id (sender);
+
+ /* If this is a /me, append an event */
+ if (empathy_message_get_tptype (msg) == TP_CHANNEL_TEXT_MESSAGE_TYPE_ACTION) {
+ gchar *str;
+
+- str = g_strdup_printf ("%s %s", name, body_escaped);
++ str = g_strdup_printf ("%s %s", name_escaped, body_escaped);
+ theme_adium_append_event_escaped (view, str);
+
+ g_free (str);
+ g_free (body_escaped);
++ g_free (name_escaped);
+ return;
+ }
+
+@@ -600,7 +602,7 @@ theme_adium_append_message (EmpathyChatView *view,
+
+ if (html != NULL) {
+ theme_adium_append_html (theme, func, html, len, body_escaped,
+- avatar_filename, name, contact_id,
++ avatar_filename, name_escaped, contact_id,
+ service_name, message_classes->str,
+ timestamp, is_backlog);
+ } else {
+@@ -616,6 +618,7 @@ theme_adium_append_message (EmpathyChatView *view,
+ priv->last_is_backlog = is_backlog;
+
+ g_free (body_escaped);
++ g_free (name_escaped);
+ g_string_free (message_classes, TRUE);
+ }
+
+--
+1.7.7
+
diff --git a/net-im/empathy/files/empathy-2.34.0-missing-include.patch b/net-im/empathy/files/empathy-2.34.0-missing-include.patch
new file mode 100644
index 000000000000..e8d3a8d3c8ec
--- /dev/null
+++ b/net-im/empathy/files/empathy-2.34.0-missing-include.patch
@@ -0,0 +1,10 @@
+--- libempathy/empathy-auth-factory.c 2011-10-22 00:53:39.480665258 +0300
++++ libempathy/empathy-auth-factory.c 2011-10-22 00:55:22.726535188 +0300
+@@ -20,6 +20,7 @@
+
+ #include "empathy-auth-factory.h"
+
++#include <telepathy-glib/channel-dispatch-operation.h>
+ #include <telepathy-glib/interfaces.h>
+ #include <telepathy-glib/simple-handler.h>
+ #include <telepathy-glib/util.h>