|Summary:||<net-im/pidgin-2.6.5: msn arbitrary file retrieval (CVE-2010-0013)|
|Product:||Gentoo Security||Reporter:||cnu <bshalm>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description cnu 2010-01-05 13:21:55 UTC
http://seclists.org/oss-sec/2010/q1/0 http://xorl.wordpress.com/2010/01/01/pidgin-msn-slp-emoticon-directory-traversal/ Seems like people can steal my files or something..oh noes. Reproducible: Always
Comment 1 Stefan Behte (RETIRED) 2010-01-06 18:35:26 UTC
2.6.4 does not have the fix, there is no new release yet. Patch in $URL, please provide a patched ebuild.
Comment 2 Mr. B 2010-01-09 13:24:48 UTC
2.6.5 was released yesterday with a fix - might be an idea to bump pronto.
Comment 3 Olivier Crete (RETIRED) 2010-01-10 06:44:24 UTC
Version 2.6.5 fixes the problem, please stabilize
Comment 4 Christian Faulhammer (RETIRED) 2010-01-10 11:54:37 UTC
Comment 5 Jeroen Roovers (RETIRED) 2010-01-12 18:04:23 UTC
Stable for HPPA.
Comment 6 Peter Volkov (RETIRED) 2010-01-13 10:48:55 UTC
BTW, note that 2.6.5 seems to have regression: http://developer.pidgin.im/ticket/11142
Comment 7 Tobias Klausmann 2010-01-16 10:58:39 UTC
Stable on alpha.
Comment 8 Peter Volkov (RETIRED) 2010-01-19 08:24:16 UTC
(In reply to comment #6) > BTW, note that 2.6.5 seems to have regression: > http://developer.pidgin.im/ticket/11142 Well, actually this was not regression and this had something to do with changes on ICQ servers. Currently it looks like changes were reverted and everything should just work.
Comment 9 nixnut (RETIRED) 2010-01-19 18:11:10 UTC
Comment 10 Markus Meier 2010-02-03 20:29:14 UTC
amd64 stable, all arches done.
Comment 11 Stefan Behte (RETIRED) 2010-02-06 15:57:21 UTC
GLSA vote: yes.
Comment 12 Tobias Heinlein (RETIRED) 2010-02-18 21:45:13 UTC
YES too, request filed.
Comment 13 Tobias Heinlein (RETIRED) 2010-02-28 22:11:40 UTC
CVE-2010-0013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0013): Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.
Comment 14 GLSAMaker/CVETool Bot 2012-06-21 18:29:00 UTC
This issue was resolved and addressed in GLSA 201206-11 at http://security.gentoo.org/glsa/glsa-201206-11.xml by GLSA coordinator Stefan Behte (craig).