MSN arbitrary file upload vulnerability

Paul Aurich paul at
Sat Jan 2 16:57:06 EST 2010

And Paul Aurich spoke on 12/30/2009 08:55 PM, saying:
> The MSN prpl contains a vulnerability in the custom emoticon code that
> allows a third-party to retrieve an arbitrary file on the target's computer
> while requiring no intervention from the .  This was described in Fabian's
> talk at 26C3 [1], but the short version is that it's directory traversal
> issue due to insufficient validation (the attacker can inject ".." into the
> filename to retrieve).
> Mitigating factors: .purple/custom_smiley/ must exist.
> Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
> Elliott and Stu both have patches, though nothing has been committed yet.
> We need a CVE# for this issue, I suppose.
> There's also another possible crash in the MSN prpl when chatting with a
> buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
> tracker [2], which I just updated per Elliott's request to see a debug log.
> Happy New Years nonetheless,
> ~Paul
> [1] (the
> slides contain good details)
> [2]

A patch for the file upload vulnerability can be found in 4be2df4f,
3d02401c, and c64a1adc [1, 2, & 3].  The fix itself is in [3], but depends
on the first two to apply properly (and clean up memory correctly).

As a note, when backporting the patch to anything older than 2.6.0, the use
of purple_strequal will need to be changed.

I just requested a CVE.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Packagers mailing list