Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 299751 (CVE-2010-0013) - <net-im/pidgin-2.6.5: msn arbitrary file retrieval (CVE-2010-0013)
Summary: <net-im/pidgin-2.6.5: msn arbitrary file retrieval (CVE-2010-0013)
Alias: CVE-2010-0013
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2010-01-05 13:21 UTC by cnu
Modified: 2012-06-21 18:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description cnu 2010-01-05 13:21:55 UTC

Seems like people can steal my files or something..oh noes.

Reproducible: Always
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-06 18:35:26 UTC
2.6.4 does not have the fix, there is no new release yet.
Patch in $URL, please provide a patched ebuild.
Comment 2 Mr. B 2010-01-09 13:24:48 UTC
2.6.5 was released yesterday with a fix - might be an idea to bump pronto.
Comment 3 Olivier Crete (RETIRED) gentoo-dev 2010-01-10 06:44:24 UTC
Version 2.6.5 fixes the problem, please stabilize
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-10 11:54:37 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-12 18:04:23 UTC
Stable for HPPA.
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2010-01-13 10:48:55 UTC
BTW, note that 2.6.5 seems to have regression:
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2010-01-16 10:58:39 UTC
Stable on alpha.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2010-01-19 08:24:16 UTC
(In reply to comment #6)
> BTW, note that 2.6.5 seems to have regression:

Well, actually this was not regression and this had something to do with changes on ICQ servers. Currently it looks like changes were reverted and everything should just work.

Comment 9 nixnut (RETIRED) gentoo-dev 2010-01-19 18:11:10 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2010-02-03 20:29:14 UTC
amd64 stable, all arches done.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:57:21 UTC
GLSA vote: yes.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-18 21:45:13 UTC
YES too, request filed.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-28 22:11:40 UTC
CVE-2010-0013 (
  Directory traversal vulnerability in slp.c in the MSN protocol plugin
  in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers
  to read arbitrary files via a .. (dot dot) in an
  application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a
  related issue to CVE-2004-0122.  NOTE: it could be argued that this
  is resultant from a vulnerability in which an emoticon download
  request is processed even without a preceding text/x-mms-emoticon
  message that announced availability of the emoticon.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:29:00 UTC
This issue was resolved and addressed in
 GLSA 201206-11 at
by GLSA coordinator Stefan Behte (craig).