|Summary:||x11-plugins/pidgin-knotify: Remote command injection (CVE-2010-3088)|
|Product:||Gentoo Security||Reporter:||Matthias Petschick <razzle>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||alunduil, john, net-im, spatz, stefan.tell|
|Package list:||Runtime testing required:||---|
Description Matthias Petschick 2010-09-12 14:24:22 UTC
pidgin-knotify is a pidgin plugin that displays received messages and other notices from pidgin as KDE notifications. It uses system() to invoke ktdialog and passes the unescaped messages as command line arguments. An attacker could use this to inject arbitrary commands by sending a prepared message via any protocol supported by pidgin to the victim. Reproducible: Always Steps to Reproduce: 1. Install and enable pidgin-knotify 2. Receive a message like ';touch /tmp/vulnerable;' 3. Confirm that /tmp/vulnerable exists Actual Results: /tmp/vulnerable exists Expected Results: The touch command should not be run. The vulnerable system() call is located in src/pidgin-knotify.c, line 71-74: command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title, body, timeout); [...] result = system(command); Instead of using system(), functions of the exec family should be used, e.g. execve with a sanitized environment. If a dbus interface for showing notifications in KDE exists, it could be used as well. The author of pidgin-knotify was contacted 8 days ago (on 04/09/10) through the email address specified on the google code project and again 3 days later through the address in the source file header, however he did neither respond nor was the code fixed in the repository.
Comment 1 Tobias Heinlein (RETIRED) 2010-09-12 22:25:04 UTC
Thank you for the report. We have just confirmed this issue. The package has been masked and will be removed in 30 days if upstream hasn't replied until then.
Comment 2 John J. Aylward 2010-09-13 19:53:33 UTC
I opened an upstream bug and someone posted a patch: http://code.google.com/p/pidgin-knotify/issues/detail?id=1
Comment 3 Alex Legler (RETIRED) 2010-09-13 20:07:12 UTC
(In reply to comment #2) > I opened an upstream bug and someone posted a patch: > http://code.google.com/p/pidgin-knotify/issues/detail?id=1 > We will not apply this patch, as it merely is a workaround. It is very likely broken (implicit declaration of php_mblen, I didn't even look further). Besides it incorporates code licensed under the terms of the PHP license into GPL-2 code. These two licenses are not compatible.
Comment 4 Alex Legler (RETIRED) 2010-09-13 20:29:17 UTC
CVE-2010-3088 was assigned to this issue.
Comment 5 Dror Levin (RETIRED) 2010-09-13 21:07:49 UTC
I've written a patch some time ago to remove system() and instead use dbus, and upstream has given me access to the repository so I was planning to release a new version with that when RL shit happened and all my free time went to hell. I hope I can get to it this week.
Comment 6 Stefan Behte (RETIRED) 2010-10-11 03:46:44 UTC
Any news on this one?
Comment 7 Tomáš Chvátal (RETIRED) 2010-10-18 12:00:29 UTC
Removed from main tree.
Comment 8 Andreas K. Hüttel 2011-02-14 22:45:41 UTC
Nothing to do for kde here anymore.
Comment 9 GLSAMaker/CVETool Bot 2011-06-24 00:20:19 UTC
CVE-2010-3088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3088): The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1 and earlier for Pidgin allows remote attackers to execute arbitrary commands via shell metacharacters in a message.
Comment 10 John J. Aylward 2012-09-13 00:37:50 UTC
since this was removed from the tree, this bug should probably just be marked closed correct?
Comment 11 Sean Amoss (RETIRED) 2012-09-22 19:01:43 UTC
Thanks, everyone. GLSA draft is ready for review.
Comment 12 GLSAMaker/CVETool Bot 2014-02-26 14:32:27 UTC
This issue was resolved and addressed in GLSA 201402-27 at http://security.gentoo.org/glsa/glsa-201402-27.xml by GLSA coordinator Sergey Popov (pinkbyte).