Hello community, here is the log from the commit of package empathy for openSUSE:11.4 checked in at Fri Oct 28 13:56:34 CEST 2011. -------- --- old-versions/11.4/all/empathy/empathy.changes 2011-02-13 17:21:48.000000000 +0100 +++ 11.4/empathy/empathy.changes 2011-10-28 10:42:24.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Oct 28 08:38:58 UTC 2011 - dimstar@opensuse.org + +- Add empathy-cve-2011-3635.patch: escape aliased before displaying + it in theme_adium_append_message. CVE-2011-3635, bnc#727003. + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/empathy Destination is old-versions/11.4/UPDATES/all/empathy calling whatdependson for 11.4-i586 New: ---- empathy-cve-2011-3635.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ empathy.spec ++++++ --- /var/tmp/diff_new_pack.DDOz71/_old 2011-10-28 13:34:10.000000000 +0200 +++ /var/tmp/diff_new_pack.DDOz71/_new 2011-10-28 13:34:10.000000000 +0200 @@ -19,13 +19,15 @@ Name: empathy Version: 2.32.2 -Release: 3 +Release: 7.<RELEASE8> License: GPLv2+ Summary: Instant Messenger Client for GNOME, based on Telepathy Url: http://live.gnome.org/Empathy Group: Productivity/Networking/Instant Messenger Source: %{name}-%{version}.tar.bz2 Source99: %{name}-rpmlintrc +# PATCH-FIX-UPSTREAM empathy-cve-2011-3635.patch bnc#727003 bgo#662035 cve-2011-3635 dimstar@opensuse.org -- theme_adium_append_message: escape alias before displaying it. +Patch0: empathy-cve-2011-3635.patch BuildRequires: NetworkManager-devel BuildRequires: enchant-devel BuildRequires: evolution-data-server-devel @@ -93,6 +95,7 @@ %prep %setup -q translation-update-upstream +%patch0 -p1 %build %configure --disable-static \ ++++++ empathy-cve-2011-3635.patch ++++++ Index: empathy-2.32.2/libempathy-gtk/empathy-theme-adium.c =================================================================== --- empathy-2.32.2.orig/libempathy-gtk/empathy-theme-adium.c +++ empathy-2.32.2/libempathy-gtk/empathy-theme-adium.c @@ -436,7 +436,7 @@ theme_adium_append_message (EmpathyChatV EmpathyThemeAdiumPriv *priv = GET_PRIV (theme); EmpathyContact *sender; TpAccount *account; - gchar *body_escaped; + gchar *body_escaped, *name_escaped; const gchar *body; const gchar *name; const gchar *contact_id; @@ -599,8 +599,10 @@ theme_adium_append_message (EmpathyChatV } if (html != NULL) { + name_escaped = g_markup_escape_text (name, -1); + theme_adium_append_html (theme, func, html, len, body_escaped, - avatar_filename, name, contact_id, + avatar_filename, name_escaped, contact_id, service_name, message_classes->str, timestamp, is_backlog); } else { @@ -616,6 +618,7 @@ theme_adium_append_message (EmpathyChatV priv->last_is_backlog = is_backlog; g_free (body_escaped); + g_free (name_escaped); g_string_free (message_classes, TRUE); } continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org