Bug 748425 (CVE-2011-4170)

Summary: CVE-2011-4170 empathy: XSS due improper escaping of nicknames in the /me event in the Adium theme
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdpepple
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 07:38:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 747737    
Bug Blocks:    

Description Jan Lieskovsky 2011-10-24 12:27:09 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4170 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname) in a /me event, a different vulnerability than CVE-2011-3635.

Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=662035

Original mention of the deficiency:
[2] https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13

Relevant upstream patch:
[3] http://git.gnome.org/browse/empathy/commit/?id=15a4eec2f156c4f60398a9d842279203f475ed89
Comment 1 Jan Lieskovsky 2011-10-24 12:28:16 UTC 
This issue affects the versions of the empathy package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-10-24 12:31:05 UTC 
Created empathy tracking bugs for this issue

Affects: fedora-all [bug 747737]