Date: Mon, 13 Sep 2010 16:06:00 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...re.org Subject: Re: CVE Request: pidgin-knotify remote command injection Please use CVE-2010-3088 for this. Thanks. -- JB ----- "Alex Legler" <a3li@...too.org> wrote: > Hi, > > we received a public report  in our Bugzilla about the following > issue in pidgin-knotify : > > "pidgin-knotify is a pidgin plugin that displays received messages and > other > notices from pidgin as KDE notifications. It uses system() to invoke > ktdialog > and passes the unescaped messages as command line arguments. An > attacker could > use this to inject arbitrary commands by sending a prepared message > via any > protocol supported by pidgin to the victim. > [...] > The vulnerable system() call is located in src/pidgin-knotify.c, line > 71-74: > > command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' > %d", title, > body, timeout); > [...] > result = system(command);" > > All upstream versions seem to be vulnerable. The reporter tried to > contact upstream a week ago without a response, and the last release > > was Dec '09, so we are assuming upstream is inactive. Maybe our > maintainer is going to provide a patch. From what I can see only > Fedora ships the package besides us. > > Please assign a CVE id. > > Thanks, > Alex > > >  https://bugs.gentoo.org/show_bug.cgi?id=336916 >  http://code.google.com/p/pidgin-knotify/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ