← Back to team overview

desktop-packages team mailing list archive

[Bug 879301] Re: HTML injection in nicknames

 

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3635

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to empathy in Ubuntu.
https://bugs.launchpad.net/bugs/879301

Title:
  HTML injection in nicknames

Status in “empathy” package in Ubuntu:
  In Progress

Bug description:
  I just requested CVE-2011-3635 for
  https://bugzilla.gnome.org/show_bug.cgi?id=662035

  I'm opening this bug to already let you know about this security issue
  as Ubuntu is more affected than other distros as it ships an Adium
  theme by default.

  Here is the description of the CVE:

  Empathy from version 2.25.3 to 3.2.1.1 is vulnerable to a HTML
  injection bug in its chat window. Only version built with WebKit
  support (which was optional before version 3.1.5.1) are affected. Also
  this doesn't affect the default chat window, the vulnerability happens
  only when the user has configured it to use an Adium theme (none are
  provided by default).

  Fix:
  http://git.gnome.org/browse/empathy/commit/?id=739aca418457de752be13721218aaebc74bd9d36
  Details: https://bugzilla.gnome.org/show_bug.cgi?id=662035

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/empathy/+bug/879301/+subscriptions