MSN arbitrary file upload vulnerability

Warren Togami wtogami at redhat.com
Sun Jan 3 04:21:34 EST 2010


On 01/02/2010 04:57 PM, Paul Aurich wrote:
> And Paul Aurich spoke on 12/30/2009 08:55 PM, saying:
>> The MSN prpl contains a vulnerability in the custom emoticon code that
>> allows a third-party to retrieve an arbitrary file on the target's computer
>> while requiring no intervention from the .  This was described in Fabian's
>> talk at 26C3 [1], but the short version is that it's directory traversal
>> issue due to insufficient validation (the attacker can inject ".." into the
>> filename to retrieve).
>>
>> Mitigating factors: .purple/custom_smiley/ must exist.
>> Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
>>
>> Elliott and Stu both have patches, though nothing has been committed yet.
>>
>> We need a CVE# for this issue, I suppose.
>>
>> There's also another possible crash in the MSN prpl when chatting with a
>> buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
>> tracker [2], which I just updated per Elliott's request to see a debug log.
>>
>> Happy New Years nonetheless,
>> ~Paul
>>
>> [1] http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html (the
>> slides contain good details)
>> [2] http://trac.adium.im/ticket/13620
>>
>
> A patch for the file upload vulnerability can be found in 4be2df4f,
> 3d02401c, and c64a1adc [1, 2,&  3].  The fix itself is in [3], but depends
> on the first two to apply properly (and clean up memory correctly).
>
> As a note, when backporting the patch to anything older than 2.6.0, the use
> of purple_strequal will need to be changed.
>
> I just requested a CVE.
>
> ~Paul
>
> [1]
> http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f
> [2]
> http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467
> [3]
> http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

After the CVE is assigned could we please release 2.6.5 with this 
security fix?

Warren



More information about the Packagers mailing list