Hello community, here is the log from the commit of package empathy for openSUSE:11.3 checked in at Fri Oct 28 13:33:59 CEST 2011. -------- --- old-versions/11.3/all/empathy/empathy.changes 2010-06-04 16:38:44.000000000 +0200 +++ 11.3/empathy/empathy.changes 2011-10-28 10:38:20.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Oct 28 08:37:02 UTC 2011 - dimstar@opensuse.org + +- Add empathy-cve-2011-3635.patch: escape aliased before displaying + it in theme_adium_append_message. CVE-2011-3635, bnc#727003. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/empathy Destination is old-versions/11.3/UPDATES/all/empathy calling whatdependson for 11.3-i586 New: ---- empathy-cve-2011-3635.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ empathy.spec ++++++ --- /var/tmp/diff_new_pack.5F1EYp/_old 2011-10-28 13:33:07.000000000 +0200 +++ /var/tmp/diff_new_pack.5F1EYp/_new 2011-10-28 13:33:07.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package empathy (Version 2.30.1) +# spec file for package empathy # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: empathy Url: http://live.gnome.org/Empathy Version: 2.30.1 -Release: 2 +Release: 3.<RELEASE2> # FIXME: 2.29.3 fails a parallel build, but a newer tarball should work since the bug got fixed in gnome-doc-utils License: GPLv2+ Summary: Instant Messenger Client for GNOME, based on Telepathy @@ -30,6 +30,8 @@ Source99: %{name}-rpmlintrc # PATCH-FIX-UPSTREAM empathy-clutter-gtk-0.90.patch vuntz@opensuse.org -- Use clutter-gtk-0.90, will be fixed upstream once upstream does the switch too Patch0: empathy-clutter-gtk-0.90.patch +# PATCH-FIX-UPSTREAM empathy-cve-2011-3635.patch bnc#727003 bgo#662035 cve-2011-3635 dimstar@opensuse.org -- theme_adium_append_message: escape alias before displaying it. +Patch1: empathy-cve-2011-3635.patch BuildRequires: NetworkManager-devel BuildRequires: enchant-devel BuildRequires: evolution-data-server-devel @@ -93,6 +95,7 @@ %setup -q translation-update-upstream %patch0 -p1 +%patch1 -p1 %build %configure --disable-static \ ++++++ empathy-cve-2011-3635.patch ++++++ Index: empathy-2.30.1/libempathy-gtk/empathy-theme-adium.c =================================================================== --- empathy-2.30.1.orig/libempathy-gtk/empathy-theme-adium.c +++ empathy-2.30.1/libempathy-gtk/empathy-theme-adium.c @@ -431,7 +431,7 @@ theme_adium_append_message (EmpathyChatV EmpathyThemeAdiumPriv *priv = GET_PRIV (theme); EmpathyContact *sender; TpAccount *account; - gchar *body_escaped; + gchar *body_escaped, *name_escaped; const gchar *body; const gchar *name; const gchar *contact_id; @@ -594,8 +594,10 @@ theme_adium_append_message (EmpathyChatV } if (html != NULL) { + name_escaped = g_markup_escape_text (name, -1); + theme_adium_append_html (theme, func, html, len, body_escaped, - avatar_filename, name, contact_id, + avatar_filename, name_escaped, contact_id, service_name, message_classes->str, timestamp); } else { @@ -611,6 +613,7 @@ theme_adium_append_message (EmpathyChatV priv->last_is_backlog = is_backlog; g_free (body_escaped); + g_free (name_escaped); g_string_free (message_classes, TRUE); } continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org