MSN arbitrary file upload vulnerability
wtogami at redhat.com
Sun Jan 3 04:21:34 EST 2010
On 01/02/2010 04:57 PM, Paul Aurich wrote:
> And Paul Aurich spoke on 12/30/2009 08:55 PM, saying:
>> The MSN prpl contains a vulnerability in the custom emoticon code that
>> allows a third-party to retrieve an arbitrary file on the target's computer
>> while requiring no intervention from the . This was described in Fabian's
>> talk at 26C3 , but the short version is that it's directory traversal
>> issue due to insufficient validation (the attacker can inject ".." into the
>> filename to retrieve).
>> Mitigating factors: .purple/custom_smiley/ must exist.
>> Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
>> Elliott and Stu both have patches, though nothing has been committed yet.
>> We need a CVE# for this issue, I suppose.
>> There's also another possible crash in the MSN prpl when chatting with a
>> buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
>> tracker , which I just updated per Elliott's request to see a debug log.
>> Happy New Years nonetheless,
>>  http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html (the
>> slides contain good details)
>>  http://trac.adium.im/ticket/13620
> A patch for the file upload vulnerability can be found in 4be2df4f,
> 3d02401c, and c64a1adc [1, 2,& 3]. The fix itself is in , but depends
> on the first two to apply properly (and clean up memory correctly).
> As a note, when backporting the patch to anything older than 2.6.0, the use
> of purple_strequal will need to be changed.
> I just requested a CVE.
After the CVE is assigned could we please release 2.6.5 with this
More information about the Packagers