MSN arbitrary file upload vulnerability
paul at darkrain42.org
Sat Jan 2 16:57:06 EST 2010
And Paul Aurich spoke on 12/30/2009 08:55 PM, saying:
> The MSN prpl contains a vulnerability in the custom emoticon code that
> allows a third-party to retrieve an arbitrary file on the target's computer
> while requiring no intervention from the . This was described in Fabian's
> talk at 26C3 , but the short version is that it's directory traversal
> issue due to insufficient validation (the attacker can inject ".." into the
> filename to retrieve).
> Mitigating factors: .purple/custom_smiley/ must exist.
> Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
> Elliott and Stu both have patches, though nothing has been committed yet.
> We need a CVE# for this issue, I suppose.
> There's also another possible crash in the MSN prpl when chatting with a
> buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
> tracker , which I just updated per Elliott's request to see a debug log.
> Happy New Years nonetheless,
>  http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html (the
> slides contain good details)
>  http://trac.adium.im/ticket/13620
A patch for the file upload vulnerability can be found in 4be2df4f,
3d02401c, and c64a1adc [1, 2, & 3]. The fix itself is in , but depends
on the first two to apply properly (and clean up memory correctly).
As a note, when backporting the patch to anything older than 2.6.0, the use
of purple_strequal will need to be changed.
I just requested a CVE.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 900 bytes
Desc: OpenPGP digital signature
More information about the Packagers