pidgin-knotify is a pidgin plugin that displays received messages and other notices from pidgin as KDE notifications. It uses system() to invoke ktdialog and passes the unescaped messages as command line arguments. An attacker could use this to inject arbitrary commands by sending a prepared message via any protocol supported by pidgin to the victim. Reproducible: Always Steps to Reproduce: 1. Install and enable pidgin-knotify 2. Receive a message like ';touch /tmp/vulnerable;' 3. Confirm that /tmp/vulnerable exists Actual Results: /tmp/vulnerable exists Expected Results: The touch command should not be run. The vulnerable system() call is located in src/pidgin-knotify.c, line 71-74: command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title, body, timeout); [...] result = system(command); Instead of using system(), functions of the exec family should be used, e.g. execve with a sanitized environment. If a dbus interface for showing notifications in KDE exists, it could be used as well. The author of pidgin-knotify was contacted 8 days ago (on 04/09/10) through the email address specified on the google code project and again 3 days later through the address in the source file header, however he did neither respond nor was the code fixed in the repository.
Thank you for the report. We have just confirmed this issue. The package has been masked and will be removed in 30 days if upstream hasn't replied until then.
I opened an upstream bug and someone posted a patch: http://code.google.com/p/pidgin-knotify/issues/detail?id=1
(In reply to comment #2) > I opened an upstream bug and someone posted a patch: > http://code.google.com/p/pidgin-knotify/issues/detail?id=1 > We will not apply this patch, as it merely is a workaround. It is very likely broken (implicit declaration of php_mblen, I didn't even look further). Besides it incorporates code licensed under the terms of the PHP license into GPL-2 code. These two licenses are not compatible.
CVE-2010-3088 was assigned to this issue.
I've written a patch some time ago to remove system() and instead use dbus, and upstream has given me access to the repository so I was planning to release a new version with that when RL shit happened and all my free time went to hell. I hope I can get to it this week.
Any news on this one?
Removed from main tree.
Nothing to do for kde here anymore.
CVE-2010-3088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3088): The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1 and earlier for Pidgin allows remote attackers to execute arbitrary commands via shell metacharacters in a message.
since this was removed from the tree, this bug should probably just be marked closed correct?
Thanks, everyone. GLSA draft is ready for review.
This issue was resolved and addressed in GLSA 201402-27 at http://security.gentoo.org/glsa/glsa-201402-27.xml by GLSA coordinator Sergey Popov (pinkbyte).
