Seems like people can steal my files or something..oh noes.
2.6.4 does not have the fix, there is no new release yet.
Patch in $URL, please provide a patched ebuild.
2.6.5 was released yesterday with a fix - might be an idea to bump pronto.
Version 2.6.5 fixes the problem, please stabilize
Stable for HPPA.
BTW, note that 2.6.5 seems to have regression:
Stable on alpha.
(In reply to comment #6)
> BTW, note that 2.6.5 seems to have regression:
Well, actually this was not regression and this had something to do with changes on ICQ servers. Currently it looks like changes were reverted and everything should just work.
amd64 stable, all arches done.
GLSA vote: yes.
YES too, request filed.
Directory traversal vulnerability in slp.c in the MSN protocol plugin
in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers
to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a
related issue to CVE-2004-0122. NOTE: it could be argued that this
is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon.
This issue was resolved and addressed in
GLSA 201206-11 at http://security.gentoo.org/glsa/glsa-201206-11.xml
by GLSA coordinator Stefan Behte (craig).