MSN arbitrary file upload vulnerability

Paul Aurich paul at
Wed Dec 30 23:55:58 EST 2009

The MSN prpl contains a vulnerability in the custom emoticon code that
allows a third-party to retrieve an arbitrary file on the target's computer
while requiring no intervention from the .  This was described in Fabian's
talk at 26C3 [1], but the short version is that it's directory traversal
issue due to insufficient validation (the attacker can inject ".." into the
filename to retrieve).

Mitigating factors: .purple/custom_smiley/ must exist.
Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.

Elliott and Stu both have patches, though nothing has been committed yet.

We need a CVE# for this issue, I suppose.

There's also another possible crash in the MSN prpl when chatting with a
buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
tracker [2], which I just updated per Elliott's request to see a debug log.

Happy New Years nonetheless,

[1] (the
slides contain good details)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Packagers mailing list