Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 299751 (CVE-2010-0013)

Summary: <net-im/pidgin-2.6.5: msn arbitrary file retrieval (CVE-2010-0013)
Product: Gentoo Security Reporter: cnu <bshalm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description cnu 2010-01-05 13:21:55 UTC 
http://seclists.org/oss-sec/2010/q1/0
http://xorl.wordpress.com/2010/01/01/pidgin-msn-slp-emoticon-directory-traversal/

Seems like people can steal my files or something..oh noes.

Reproducible: Always
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-06 18:35:26 UTC 
2.6.4 does not have the fix, there is no new release yet.
Patch in $URL, please provide a patched ebuild.
Comment 2 Mr. B 2010-01-09 13:24:48 UTC 
2.6.5 was released yesterday with a fix - might be an idea to bump pronto.
Comment 3 Olivier Crete (RETIRED) gentoo-dev 2010-01-10 06:44:24 UTC 
Version 2.6.5 fixes the problem, please stabilize
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-10 11:54:37 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-12 18:04:23 UTC 
Stable for HPPA.
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2010-01-13 10:48:55 UTC 
BTW, note that 2.6.5 seems to have regression:
http://developer.pidgin.im/ticket/11142
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2010-01-16 10:58:39 UTC 
Stable on alpha.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2010-01-19 08:24:16 UTC 
(In reply to comment #6)
> BTW, note that 2.6.5 seems to have regression:
> http://developer.pidgin.im/ticket/11142

Well, actually this was not regression and this had something to do with changes on ICQ servers. Currently it looks like changes were reverted and everything should just work.
Comment 9 nixnut (RETIRED) gentoo-dev 2010-01-19 18:11:10 UTC 
ppc stable
Comment 10 Markus Meier gentoo-dev 2010-02-03 20:29:14 UTC 
amd64 stable, all arches done.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:57:21 UTC 
GLSA vote: yes.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-18 21:45:13 UTC 
YES too, request filed.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-28 22:11:40 UTC 
CVE-2010-0013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0013):
  Directory traversal vulnerability in slp.c in the MSN protocol plugin
  in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers
  to read arbitrary files via a .. (dot dot) in an
  application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a
  related issue to CVE-2004-0122.  NOTE: it could be argued that this
  is resultant from a vulnerability in which an emoticon download
  request is processed even without a preceding text/x-mms-emoticon
  message that announced availability of the emoticon.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:29:00 UTC 
This issue was resolved and addressed in
 GLSA 201206-11 at http://security.gentoo.org/glsa/glsa-201206-11.xml
by GLSA coordinator Stefan Behte (craig).