MSN arbitrary file upload vulnerability
Warren Togami
wtogami at redhat.com
Thu Jan 7 10:17:00 EST 2010
On 01/03/2010 04:21 AM, Warren Togami wrote:
> On 01/02/2010 04:57 PM, Paul Aurich wrote:
>> And Paul Aurich spoke on 12/30/2009 08:55 PM, saying:
>>> The MSN prpl contains a vulnerability in the custom emoticon code that
>>> allows a third-party to retrieve an arbitrary file on the target's
>>> computer
>>> while requiring no intervention from the . This was described in
>>> Fabian's
>>> talk at 26C3 [1], but the short version is that it's directory traversal
>>> issue due to insufficient validation (the attacker can inject ".."
>>> into the
>>> filename to retrieve).
>>>
>>> Mitigating factors: .purple/custom_smiley/ must exist.
>>> Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
>>>
>>> Elliott and Stu both have patches, though nothing has been committed
>>> yet.
>>>
>>> We need a CVE# for this issue, I suppose.
>>>
>>> There's also another possible crash in the MSN prpl when chatting with a
>>> buddy using Trillian for the iPod Touch/iPhone, reported on the Adium
>>> issue
>>> tracker [2], which I just updated per Elliott's request to see a
>>> debug log.
>>>
>>> Happy New Years nonetheless,
>>> ~Paul
>>>
>>> [1] http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html (the
>>> slides contain good details)
>>> [2] http://trac.adium.im/ticket/13620
>>>
>>
>> A patch for the file upload vulnerability can be found in 4be2df4f,
>> 3d02401c, and c64a1adc [1, 2,& 3]. The fix itself is in [3], but depends
>> on the first two to apply properly (and clean up memory correctly).
>>
>> As a note, when backporting the patch to anything older than 2.6.0,
>> the use
>> of purple_strequal will need to be changed.
>>
>> I just requested a CVE.
>>
>> ~Paul
>>
>> [1]
>> http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f
>>
>> [2]
>> http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467
>>
>> [3]
>> http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
>>
>
> After the CVE is assigned could we please release 2.6.5 with this
> security fix?
>
> Warren
CVE-2010-0013
I'm told to use this number.
Warren
More information about the Packagers
mailing list