Date: Sat, 02 Jan 2010 13:56:32 -0800 From: Paul Aurich <paul@...krain42.org> To: oss-security@...ts.openwall.com CC: "Steven M. Christey" <coley@...us.mitre.org> Subject: CVE request - pidgin MSN arbitrary file upload http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not validate the filename received in a request for Pidgin to upload a custom emoticon to a third-party, allowing an attacker to download arbitrary files on the system via directory traversal. This is fixed in source, but no release yet: http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 -- Paul Aurich Download attachment "signature.asc" of type "application/pgp-signature" (901 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ