pidgin: local file disclosure vulnerability

Debian Bug report logs - #563206
pidgin: local file disclosure vulnerability

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: submit@bugs.debian.org

Subject: pidgin: local file disclosure vulnerability

Date: Thu, 31 Dec 2009 17:04:29 -0600

Source: pidgin
Version: 2.6.4-1
Severity: grave
Tags: security

Hi,

A vulnerability has been discovered in Pidgin.

Here's the description Secunia's SA37953 advisory:
> Fabian Yamaguchi has discovered a vulnerability in Pidgin, which can be
> exploited by malicious people to disclose sensitive information.
>
> The vulnerability is caused due to an error in the implementation of the
> custom smileys feature for MSN. This can be exploited to disclose the
> content of arbitrary files via an MSN emoticon request containing directory
> traversal sequences.
>
> Successful exploitation may require that at least one custom smiley is
> defined.
>
> The vulnerability is confirmed in version 2.6.4. Other versions may also be
> affected.

If you fix this vulnerability please include the CVE id when one is assigned.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #8 received at 563206@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Raphael Geissert <geissert@debian.org>, 563206@bugs.debian.org

Subject: Re: Bug#563206: pidgin: local file disclosure vulnerability

Date: Sat, 02 Jan 2010 19:55:31 -0500

From upstream:

A patch for the file upload vulnerability can be found in 4be2df4f,
3d02401c, and c64a1adc [1, 2, & 3].  The fix itself is in [3], but depends
on the first two to apply properly (and clean up memory correctly).

As a note, when backporting the patch to anything older than 2.6.0, the use
of purple_strequal will need to be changed.

I just requested a CVE.

~Paul

[1]
http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f
[2]
http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467
[3]
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

Message #13 received at 563206@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 563206@bugs.debian.org

Subject: Re: pidgin: local file disclosure vulnerability

Date: Mon, 4 Jan 2010 23:36:06 +0100

Hi Ari,
are you working on an update? I'd NMU this bug otherwise, 
the issue sucks for a lot of users.

Cheers
Nico

Message #18 received at 563206@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Nico Golde <nion@debian.org>, 563206@bugs.debian.org

Subject: Re: Bug#563206: pidgin: local file disclosure vulnerability

Date: Mon, 04 Jan 2010 17:45:02 -0500

Nico Golde wrote:
> Hi Ari,
> are you working on an update? I'd NMU this bug otherwise, 
> the issue sucks for a lot of users.
> 

Not yet. Feel free to NMU it.

Message #23 received at 563206@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: Raphael Geissert <geissert@debian.org>, 563206@bugs.debian.org

Subject: Re: Bug#563206: pidgin: local file disclosure vulnerability

Date: Thu, 07 Jan 2010 11:28:47 -0500

I've just been informed that this is CVE-2010-0013.

Message #28 received at 563206-close@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 563206-close@bugs.debian.org

Subject: Bug#563206: fixed in pidgin 2.6.5-1

Date: Sun, 10 Jan 2010 02:02:59 +0000

Source: pidgin
Source-Version: 2.6.5-1

We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:

finch-dev_2.6.5-1_all.deb
  to main/p/pidgin/finch-dev_2.6.5-1_all.deb
finch_2.6.5-1_amd64.deb
  to main/p/pidgin/finch_2.6.5-1_amd64.deb
libpurple-bin_2.6.5-1_all.deb
  to main/p/pidgin/libpurple-bin_2.6.5-1_all.deb
libpurple-dev_2.6.5-1_all.deb
  to main/p/pidgin/libpurple-dev_2.6.5-1_all.deb
libpurple0_2.6.5-1_amd64.deb
  to main/p/pidgin/libpurple0_2.6.5-1_amd64.deb
pidgin-data_2.6.5-1_all.deb
  to main/p/pidgin/pidgin-data_2.6.5-1_all.deb
pidgin-dbg_2.6.5-1_amd64.deb
  to main/p/pidgin/pidgin-dbg_2.6.5-1_amd64.deb
pidgin-dev_2.6.5-1_all.deb
  to main/p/pidgin/pidgin-dev_2.6.5-1_all.deb
pidgin_2.6.5-1.debian.tar.gz
  to main/p/pidgin/pidgin_2.6.5-1.debian.tar.gz
pidgin_2.6.5-1.dsc
  to main/p/pidgin/pidgin_2.6.5-1.dsc
pidgin_2.6.5-1_amd64.deb
  to main/p/pidgin/pidgin_2.6.5-1_amd64.deb
pidgin_2.6.5.orig.tar.bz2
  to main/p/pidgin/pidgin_2.6.5.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 563206@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated pidgin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sat, 09 Jan 2010 14:13:53 -0500
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.6.5-1
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Closes: 563206
Changes: 
 pidgin (2.6.5-1) unstable; urgency=low
 .
   * New upstream release
   * debian/patches/CVE-2010-0013.patch:
     - Fix MSN local file disclosure vulnerability (Closes: #563206)
       (CVE-2010-0013)
Checksums-Sha1: 
 ac2a1c91d753f4eb6273e6ae49f4d5d1c5f6d7b6 1940 pidgin_2.6.5-1.dsc
 e50edbe0fe588d7222d54154942550ef1788b89d 9383600 pidgin_2.6.5.orig.tar.bz2
 163bf34640210d8965e1c883701b92270131b49c 56026 pidgin_2.6.5-1.debian.tar.gz
 511a02cfed8549953dd6bfcc64125a59d7f63b9d 7408378 pidgin-data_2.6.5-1_all.deb
 36d3501739dc915c01b730d81832cd853d2dd5c0 1838344 pidgin-dev_2.6.5-1_all.deb
 30658f6083e88a76dd1b245361825aee8d15351c 125618 finch-dev_2.6.5-1_all.deb
 21ac8b54c0ad6a23f5dc72818b844fa0905631a8 281508 libpurple-dev_2.6.5-1_all.deb
 74a2f3cb3254d035545cfd5d20e0eca65855479f 99206 libpurple-bin_2.6.5-1_all.deb
 0534fcb5fad504d2f0a6b67984b9693d68f578e3 1969220 libpurple0_2.6.5-1_amd64.deb
 43d3419d94521ba759f2063d46f7085e5372991d 768506 pidgin_2.6.5-1_amd64.deb
 b09b3fa47a078fe636fbbe71497d868bd22bd701 6244266 pidgin-dbg_2.6.5-1_amd64.deb
 c6a2057aab188a5eb686a303ea718c6c785d0be7 328590 finch_2.6.5-1_amd64.deb
Checksums-Sha256: 
 39904768e2aeb071ed79fa305598d8df0c543af8c64e2101ccd1df6504487be8 1940 pidgin_2.6.5-1.dsc
 3c459e4093fca679591e35ea34da4a0e45b15f2bb7ca00314a1486dc022f3d0e 9383600 pidgin_2.6.5.orig.tar.bz2
 3a3ed0118a385c90f490137f89f03b7da44229f00cb590ae2b13628f801510b9 56026 pidgin_2.6.5-1.debian.tar.gz
 84bf9a9cff4e13ad1709ba703240945f34e7656adeb0087c1956e716beac5554 7408378 pidgin-data_2.6.5-1_all.deb
 3cd2dec632fa9a04c55e04f7057f61aeec2bafa22d5fe3aa4eec605bb6b3c2ad 1838344 pidgin-dev_2.6.5-1_all.deb
 583ae58b1a9d573cbb96890dc476e0812a2512e6d00cbd66604060af933ce0a2 125618 finch-dev_2.6.5-1_all.deb
 57961976d516b6ef41e73becf9ab4cb1ede5cfeee8c9427959b0328a52dfcd55 281508 libpurple-dev_2.6.5-1_all.deb
 63973dd5ffc8666e58282b03446c1980738c4d9114c260c2dbbf124596251649 99206 libpurple-bin_2.6.5-1_all.deb
 ebd8971ba64e3bc60a315f16e9a23b08d1c9d8ad31e6299a17377304b5c2333f 1969220 libpurple0_2.6.5-1_amd64.deb
 8a66e4c69567f1da50f3f4eb75b4dde72afbfcfed183084e5d44992866f4ecec 768506 pidgin_2.6.5-1_amd64.deb
 dc0bbac0816e8527f63d0853e016c27c937e6231c5b7282b3d07c5432843171e 6244266 pidgin-dbg_2.6.5-1_amd64.deb
 dca7d5808011e9920aa19e0a29c7bc45082b27a8274ef5abbe6b74a0746e3d8f 328590 finch_2.6.5-1_amd64.deb
Files: 
 144cad1a6a0857e3c8c3be8b17f8c80e 1940 net optional pidgin_2.6.5-1.dsc
 90847ed22ec830db5d9768748812b661 9383600 net optional pidgin_2.6.5.orig.tar.bz2
 9814117e3e436a9d77c9904cbaf83d40 56026 net optional pidgin_2.6.5-1.debian.tar.gz
 a249a409821f3357f2c52567978ba92c 7408378 net optional pidgin-data_2.6.5-1_all.deb
 9ee5900ede034a45c303083adfb9c9b7 1838344 devel optional pidgin-dev_2.6.5-1_all.deb
 be2a1d9a2dcd5ce56d761e5797b0c9fb 125618 devel optional finch-dev_2.6.5-1_all.deb
 d72620072635beaea2b097ee8c1583a9 281508 libdevel optional libpurple-dev_2.6.5-1_all.deb
 66cb85c85469beb967d7206afd626bbf 99206 net optional libpurple-bin_2.6.5-1_all.deb
 ef3120a47105545e80e99bc1cc68a496 1969220 net optional libpurple0_2.6.5-1_amd64.deb
 5e7c66778d9286f3cd875e212c431ea1 768506 net optional pidgin_2.6.5-1_amd64.deb
 7ad4fed19909f353b2b366414d31e3a5 6244266 debug extra pidgin-dbg_2.6.5-1_amd64.deb
 f5aee7d85cafd4729e4f0251ba2de770 328590 net optional finch_2.6.5-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAktJMvoACgkQwO+u47cOQDvE7ACdFWP9yXGb/RL8JoaW6lXhZyb5
OsIAoKAN9BuLHHuWmZ6vfol2cUivmrvy
=n0Yn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.