Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Sep 2010 16:06:00 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE Request: pidgin-knotify remote command
 injection

Please use CVE-2010-3088 for this.

Thanks.

-- 
    JB


----- "Alex Legler" <a3li@...too.org> wrote:

> Hi,
> 
> we received a public report [0] in our Bugzilla about the following  
> issue in pidgin-knotify [1]:
> 
> "pidgin-knotify is a pidgin plugin that displays received messages and
> other
> notices from pidgin as KDE notifications. It uses system() to invoke
> ktdialog
> and passes the unescaped messages as command line arguments. An
> attacker could
> use this to inject arbitrary commands by sending a prepared message
> via any
> protocol supported by pidgin to the victim.
> [...]
> The vulnerable system() call is located in src/pidgin-knotify.c, line
> 71-74:
> 
> command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s'  
> %d", title,
> body, timeout);
> [...]
> result = system(command);"
> 
> All upstream versions seem to be vulnerable. The reporter tried to  
> contact upstream a week ago without a response, and the last release 
> 
> was Dec '09, so we are assuming upstream is inactive. Maybe our  
> maintainer is going to provide a patch. From what I can see only  
> Fedora ships the package besides us.
> 
> Please assign a CVE id.
> 
> Thanks,
> Alex
> 
> 
> [0] https://bugs.gentoo.org/show_bug.cgi?id=336916
> [1] http://code.google.com/p/pidgin-knotify/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ