Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336916 (CVE-2010-3088) - x11-plugins/pidgin-knotify: Remote command injection (CVE-2010-3088)
Summary: x11-plugins/pidgin-knotify: Remote command injection (CVE-2010-3088)
Status: RESOLVED FIXED
Alias: CVE-2010-3088
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://code.google.com/p/pidgin-knotify/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-12 14:24 UTC by Matthias Petschick
Modified: 2014-02-26 14:32 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Petschick 2010-09-12 14:24:22 UTC
pidgin-knotify is a pidgin plugin that displays received messages and other notices from pidgin as KDE notifications. It uses system() to invoke ktdialog and passes the unescaped messages as command line arguments. An attacker could use this to inject arbitrary commands by sending a prepared message via any protocol supported by pidgin to the victim.

Reproducible: Always

Steps to Reproduce:
1. Install and enable pidgin-knotify
2. Receive a message like ';touch /tmp/vulnerable;'
3. Confirm that /tmp/vulnerable exists

Actual Results:  
/tmp/vulnerable exists

Expected Results:  
The touch command should not be run.

The vulnerable system() call is located in src/pidgin-knotify.c, line 71-74:

command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title, body, timeout);                                        
[...]
result = system(command);

Instead of using system(), functions of the exec family should be used, e.g. execve with a sanitized environment. If a dbus interface for showing notifications in KDE exists, it could be used as well.

The author of pidgin-knotify was contacted 8 days ago (on 04/09/10) through the email address specified on the google code project and again 3 days later through the address in the source file header, however he did neither respond nor was the code fixed in the repository.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-09-12 22:25:04 UTC
Thank you for the report. We have just confirmed this issue. The package has been masked and will be removed in 30 days if upstream hasn't replied until then.

Comment 2 John J. Aylward 2010-09-13 19:53:33 UTC
I opened an upstream bug and someone posted a patch:
http://code.google.com/p/pidgin-knotify/issues/detail?id=1
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-13 20:07:12 UTC
(In reply to comment #2)
> I opened an upstream bug and someone posted a patch:
> http://code.google.com/p/pidgin-knotify/issues/detail?id=1
> 

We will not apply this patch, as it merely is a workaround. It is very likely broken (implicit declaration of php_mblen, I didn't even look further). Besides it incorporates code licensed under the terms of the PHP license into GPL-2 code. These two licenses are not compatible.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-13 20:29:17 UTC
CVE-2010-3088 was assigned to this issue.
Comment 5 Dror Levin (RETIRED) gentoo-dev 2010-09-13 21:07:49 UTC
I've written a patch some time ago to remove system() and instead use dbus, and upstream has given me access to the repository so I was planning to release a new version with that when RL shit happened and all my free time went to hell. I hope I can get to it this week.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-11 03:46:44 UTC
Any news on this one?
Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev 2010-10-18 12:00:29 UTC
Removed from main tree.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-02-14 22:45:41 UTC
Nothing to do for kde here anymore.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:20:19 UTC
CVE-2010-3088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3088):
  The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1
  and earlier for Pidgin allows remote attackers to execute arbitrary commands
  via shell metacharacters in a message.
Comment 10 John J. Aylward 2012-09-13 00:37:50 UTC
since this was removed from the tree, this bug should probably just be marked closed correct?
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 19:01:43 UTC
Thanks, everyone.

GLSA draft is ready for review.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-02-26 14:32:27 UTC
This issue was resolved and addressed in
 GLSA 201402-27 at http://security.gentoo.org/glsa/glsa-201402-27.xml
by GLSA coordinator Sergey Popov (pinkbyte).