diff options
author | Pacho Ramos <pacho@gentoo.org> | 2011-10-24 18:33:23 +0000 |
---|---|---|
committer | Pacho Ramos <pacho@gentoo.org> | 2011-10-24 18:33:23 +0000 |
commit | 76da3e257abd59514db720d073ec8e5c785aa01a (patch) | |
tree | b2e2b080b885dae2946e041cc386c749f3d6edfc /net-im/empathy | |
parent | Set the active Python to 2.x since this doesn't build with 3.x (diff) | |
download | gentoo-2-76da3e257abd59514db720d073ec8e5c785aa01a.tar.gz gentoo-2-76da3e257abd59514db720d073ec8e5c785aa01a.tar.bz2 gentoo-2-76da3e257abd59514db720d073ec8e5c785aa01a.zip |
Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported patch by Tetromino); fix compilation error due missing header, bug #388203 by My Th. Readd dropped keywords after masking offending map USE flag for them, that arches shouldn't stick with old 2.32.x versions.
(Portage version: 2.1.10.31/cvs/Linux x86_64)
Diffstat (limited to 'net-im/empathy')
-rw-r--r-- | net-im/empathy/ChangeLog | 12 | ||||
-rw-r--r-- | net-im/empathy/empathy-2.34.0-r2.ebuild | 120 | ||||
-rw-r--r-- | net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch | 70 | ||||
-rw-r--r-- | net-im/empathy/files/empathy-2.34.0-missing-include.patch | 10 |
4 files changed, 211 insertions, 1 deletions
diff --git a/net-im/empathy/ChangeLog b/net-im/empathy/ChangeLog index 8d88749ecf55..3fc2a6d3c441 100644 --- a/net-im/empathy/ChangeLog +++ b/net-im/empathy/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for net-im/empathy # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-im/empathy/ChangeLog,v 1.90 2011/08/18 06:22:13 nirbheek Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-im/empathy/ChangeLog,v 1.91 2011/10/24 18:33:23 pacho Exp $ + +*empathy-2.34.0-r2 (24 Oct 2011) + + 24 Oct 2011; Pacho Ramos <pacho@gentoo.org> +empathy-2.34.0-r2.ebuild, + +files/empathy-2.34.0-CVE-2011-3635.patch, + +files/empathy-2.34.0-missing-include.patch: + Fix script injection vulnerability (CVE-2011-3635), bug #388051 (backported + patch by Tetromino); fix compilation error due missing header, bug #388203 by + My Th. Readd dropped keywords after masking offending map USE flag for them, + that arches shouldn't stick with old 2.32.x versions. *empathy-3.0.2 (18 Aug 2011) diff --git a/net-im/empathy/empathy-2.34.0-r2.ebuild b/net-im/empathy/empathy-2.34.0-r2.ebuild new file mode 100644 index 000000000000..c07078df238c --- /dev/null +++ b/net-im/empathy/empathy-2.34.0-r2.ebuild @@ -0,0 +1,120 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-im/empathy/empathy-2.34.0-r2.ebuild,v 1.1 2011/10/24 18:33:23 pacho Exp $ + +EAPI="4" +GCONF_DEBUG="yes" +GNOME2_LA_PUNT="yes" +GNOME_TARBALL_SUFFIX="bz2" +PYTHON_DEPEND="2:2.4" + +inherit eutils gnome2 multilib python + +DESCRIPTION="Telepathy client and library using GTK+" +HOMEPAGE="http://live.gnome.org/Empathy" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~sparc ~x86 ~x86-linux" +# FIXME: Add location support once geoclue stops being idiotic with automagic deps +IUSE="eds map nautilus networkmanager spell test webkit" + +# FIXME: libnotify & libcanberra hard deps +# gst-plugins-bad is required for the valve plugin. This should move to good +# eventually at which point the dep can be dropped +RDEPEND=">=dev-libs/glib-2.27.2:2 + >=x11-libs/gtk+-2.22:2 + >=dev-libs/dbus-glib-0.51 + >=net-libs/telepathy-glib-0.14.1 + >=media-libs/libcanberra-0.4[gtk] + >=x11-libs/libnotify-0.7 + >=gnome-base/gnome-keyring-2.26 + >=net-libs/gnutls-2.8.5 + >=dev-libs/folks-0.4 + + >=dev-libs/libunique-1.1.6:1 + net-libs/farsight2 + >=media-libs/gstreamer-0.10.32:0.10 + >=media-libs/gst-plugins-base-0.10.32:0.10 + media-libs/gst-plugins-bad + media-plugins/gst-plugins-gconf + >=net-libs/telepathy-farsight-0.0.14 + dev-libs/libxml2 + x11-libs/libX11 + net-voip/telepathy-connection-managers + >=net-im/telepathy-logger-0.2.0 + + eds? ( >=gnome-extra/evolution-data-server-1.2 ) + map? ( + >=media-libs/libchamplain-0.7.1:0.8[gtk] + >=media-libs/clutter-gtk-0.10:0.10 ) + nautilus? ( >=gnome-extra/nautilus-sendto-2.31.7 ) + networkmanager? ( >=net-misc/networkmanager-0.7 ) + spell? ( + >=app-text/enchant-1.2 + >=app-text/iso-codes-0.35 ) + webkit? ( >=net-libs/webkit-gtk-1.1.15:2 ) +" +DEPEND="${RDEPEND} + app-text/scrollkeeper + >=app-text/gnome-doc-utils-0.17.3 + >=dev-util/intltool-0.35.0 + >=dev-util/pkgconfig-0.16 + test? ( + sys-apps/grep + >=dev-libs/check-0.9.4 ) + dev-libs/libxslt +" +PDEPEND=">=net-im/telepathy-mission-control-5.7.6" + +pkg_setup() { + DOCS="CONTRIBUTORS AUTHORS ChangeLog NEWS README" + + # call support needs unreleased telepathy-farstream + G2CONF="${G2CONF} + --enable-silent-rules + --disable-coding-style-checks + --disable-schemas-compile + --disable-static + --disable-call + --disable-location + --disable-control-center-embedding + --disable-Werror + $(use_enable debug) + $(use_with eds) + $(use_enable map) + $(use_enable nautilus nautilus-sendto) + $(use_with networkmanager connectivity nm) + $(use_enable spell) + $(use_enable webkit)" + + # Build time python tools needs python2 + python_set_active_version 2 + python_pkg_setup +} + +src_prepare() { + gnome2_src_prepare + + epatch "${FILESDIR}"/${P}-auth-dialog-crash-fix.patch + + # Fix script injection vulnerability (CVE-2011-3635), bug #388051 + epatch "${FILESDIR}"/${P}-CVE-2011-3635.patch + + # Fix compilation error due missing header, bug #388203 + epatch "${FILESDIR}"/${P}-missing-include.patch + + python_convert_shebangs -r 2 . +} + +src_test() { + unset DBUS_SESSION_BUS_ADDRESS + emake check +} + +pkg_postinst() { + gnome2_pkg_postinst + elog "Empathy needs telepathy's connection managers to use any IM protocol." + elog "See the USE flags on net-voip/telepathy-connection-managers" + elog "to install them." +} diff --git a/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch b/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch new file mode 100644 index 000000000000..6040778e73d5 --- /dev/null +++ b/net-im/empathy/files/empathy-2.34.0-CVE-2011-3635.patch @@ -0,0 +1,70 @@ +From 192ce4dacc108f1b62e8ef752eeb5a2bee3d337f Mon Sep 17 00:00:00 2001 +From: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk> +Date: Tue, 18 Oct 2011 18:32:52 +0200 +Subject: [PATCH] theme_adium_append_message: escape alias before displaying + it + +Not doing so can lead to nasty HTML injection from hostile users. + +https://bugzilla.gnome.org/show_bug.cgi?id=662035 + +[Alexandre Rostovtsev <tetromino@gentoo.org>: backport to 2.32, and for + good measure, escape alias on /me-type events too] +--- + libempathy-gtk/empathy-theme-adium.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/libempathy-gtk/empathy-theme-adium.c b/libempathy-gtk/empathy-theme-adium.c +index 8c6301e..08f79b4 100644 +--- a/libempathy-gtk/empathy-theme-adium.c ++++ b/libempathy-gtk/empathy-theme-adium.c +@@ -436,7 +436,7 @@ theme_adium_append_message (EmpathyChatView *view, + EmpathyThemeAdiumPriv *priv = GET_PRIV (theme); + EmpathyContact *sender; + TpAccount *account; +- gchar *body_escaped; ++ gchar *body_escaped, *name_escaped; + const gchar *body; + const gchar *name; + const gchar *contact_id; +@@ -468,17 +468,19 @@ theme_adium_append_message (EmpathyChatView *view, + body = empathy_message_get_body (msg); + body_escaped = theme_adium_parse_body (body); + name = empathy_contact_get_alias (sender); ++ name_escaped = g_markup_escape_text (name, -1); + contact_id = empathy_contact_get_id (sender); + + /* If this is a /me, append an event */ + if (empathy_message_get_tptype (msg) == TP_CHANNEL_TEXT_MESSAGE_TYPE_ACTION) { + gchar *str; + +- str = g_strdup_printf ("%s %s", name, body_escaped); ++ str = g_strdup_printf ("%s %s", name_escaped, body_escaped); + theme_adium_append_event_escaped (view, str); + + g_free (str); + g_free (body_escaped); ++ g_free (name_escaped); + return; + } + +@@ -600,7 +602,7 @@ theme_adium_append_message (EmpathyChatView *view, + + if (html != NULL) { + theme_adium_append_html (theme, func, html, len, body_escaped, +- avatar_filename, name, contact_id, ++ avatar_filename, name_escaped, contact_id, + service_name, message_classes->str, + timestamp, is_backlog); + } else { +@@ -616,6 +618,7 @@ theme_adium_append_message (EmpathyChatView *view, + priv->last_is_backlog = is_backlog; + + g_free (body_escaped); ++ g_free (name_escaped); + g_string_free (message_classes, TRUE); + } + +-- +1.7.7 + diff --git a/net-im/empathy/files/empathy-2.34.0-missing-include.patch b/net-im/empathy/files/empathy-2.34.0-missing-include.patch new file mode 100644 index 000000000000..e8d3a8d3c8ec --- /dev/null +++ b/net-im/empathy/files/empathy-2.34.0-missing-include.patch @@ -0,0 +1,10 @@ +--- libempathy/empathy-auth-factory.c 2011-10-22 00:53:39.480665258 +0300 ++++ libempathy/empathy-auth-factory.c 2011-10-22 00:55:22.726535188 +0300 +@@ -20,6 +20,7 @@ + + #include "empathy-auth-factory.h" + ++#include <telepathy-glib/channel-dispatch-operation.h> + #include <telepathy-glib/interfaces.h> + #include <telepathy-glib/simple-handler.h> + #include <telepathy-glib/util.h> |