Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 336916 (CVE-2010-3088)

Summary: x11-plugins/pidgin-knotify: Remote command injection (CVE-2010-3088)
Product: Gentoo Security Reporter: Matthias Petschick <razzle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: alunduil, john, net-im, spatz, stefan.tell
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Matthias Petschick 2010-09-12 14:24:22 UTC
pidgin-knotify is a pidgin plugin that displays received messages and other notices from pidgin as KDE notifications. It uses system() to invoke ktdialog and passes the unescaped messages as command line arguments. An attacker could use this to inject arbitrary commands by sending a prepared message via any protocol supported by pidgin to the victim.

Reproducible: Always

Steps to Reproduce:
1. Install and enable pidgin-knotify
2. Receive a message like ';touch /tmp/vulnerable;'
3. Confirm that /tmp/vulnerable exists

Actual Results:  
/tmp/vulnerable exists

Expected Results:  
The touch command should not be run.

The vulnerable system() call is located in src/pidgin-knotify.c, line 71-74:

command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title, body, timeout);                                        
result = system(command);

Instead of using system(), functions of the exec family should be used, e.g. execve with a sanitized environment. If a dbus interface for showing notifications in KDE exists, it could be used as well.

The author of pidgin-knotify was contacted 8 days ago (on 04/09/10) through the email address specified on the google code project and again 3 days later through the address in the source file header, however he did neither respond nor was the code fixed in the repository.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-09-12 22:25:04 UTC
Thank you for the report. We have just confirmed this issue. The package has been masked and will be removed in 30 days if upstream hasn't replied until then.

Comment 2 John J. Aylward 2010-09-13 19:53:33 UTC
I opened an upstream bug and someone posted a patch:
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-13 20:07:12 UTC
(In reply to comment #2)
> I opened an upstream bug and someone posted a patch:

We will not apply this patch, as it merely is a workaround. It is very likely broken (implicit declaration of php_mblen, I didn't even look further). Besides it incorporates code licensed under the terms of the PHP license into GPL-2 code. These two licenses are not compatible.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-13 20:29:17 UTC
CVE-2010-3088 was assigned to this issue.
Comment 5 Dror Levin (RETIRED) gentoo-dev 2010-09-13 21:07:49 UTC
I've written a patch some time ago to remove system() and instead use dbus, and upstream has given me access to the repository so I was planning to release a new version with that when RL shit happened and all my free time went to hell. I hope I can get to it this week.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-11 03:46:44 UTC
Any news on this one?
Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev 2010-10-18 12:00:29 UTC
Removed from main tree.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-02-14 22:45:41 UTC
Nothing to do for kde here anymore.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:20:19 UTC
CVE-2010-3088 (
  The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1
  and earlier for Pidgin allows remote attackers to execute arbitrary commands
  via shell metacharacters in a message.
Comment 10 John J. Aylward 2012-09-13 00:37:50 UTC
since this was removed from the tree, this bug should probably just be marked closed correct?
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-22 19:01:43 UTC
Thanks, everyone.

GLSA draft is ready for review.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-02-26 14:32:27 UTC
This issue was resolved and addressed in
 GLSA 201402-27 at
by GLSA coordinator Sergey Popov (pinkbyte).