Date: Mon, 13 Sep 2010 00:24:57 +0200 From: Alex Legler <a3li@...too.org> To: oss-security@...ts.openwall.com Subject: CVE Request: pidgin-knotify remote command injection Hi, we received a public report  in our Bugzilla about the following issue in pidgin-knotify : "pidgin-knotify is a pidgin plugin that displays received messages and other notices from pidgin as KDE notifications. It uses system() to invoke ktdialog and passes the unescaped messages as command line arguments. An attacker could use this to inject arbitrary commands by sending a prepared message via any protocol supported by pidgin to the victim. [...] The vulnerable system() call is located in src/pidgin-knotify.c, line 71-74: command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title, body, timeout); [...] result = system(command);" All upstream versions seem to be vulnerable. The reporter tried to contact upstream a week ago without a response, and the last release was Dec '09, so we are assuming upstream is inactive. Maybe our maintainer is going to provide a patch. From what I can see only Fedora ships the package besides us. Please assign a CVE id. Thanks, Alex  https://bugs.gentoo.org/show_bug.cgi?id=336916  http://code.google.com/p/pidgin-knotify/ Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.