Command injection through URL in Pidgin

Ethan Blanton elb at pidgin.im
Sun Jun 9 15:16:34 EDT 2013


John Houwer spake unto us the following wisdom:
> the files in
> http://gentoo.mneisen.org/distfiles/xdg-utils-1.1.0_rc1_p20120916.tar.xzare
> on my system, this seems to be a gentoo specific issue. It works with
> the package and git (HEAD) from freedesktop.org

Thank you for checking.

> There are bug-reports for this issue but they don't address the security
> implications. I will raise the issue there too.
> 
> https://bugs.gentoo.org/show_bug.cgi?id=447662

In the future, you might want to take such issues to the gentoo
equivalent of this security@ list; gentoo users are vulnerable to
exploitation from that bug.

I think we have resolved that this is not a security issue from the
Pidgin side, but that there are some helpful changes we can make to
our URL-handling code to make it less likely that such bugs will
affect others in the future.  Unless anyone has any objections, I
suggest that we go ahead and make those changes (move to g_sync_spawn
or equivalent, URL-encode URL characters other than a shell safelist
similar to [A-Za-z0-9_:/.,+-]), but that they are not put on a fast
track or embargoed.  Thoughts?

Ethan


More information about the security mailing list