oss-sec mailing list archives
Re: CVE request - pidgin MSN arbitrary file upload
From: Josh Bressers <bressers () redhat com>
Date: Thu, 7 Jan 2010 10:16:49 -0500 (EST)
----- "Paul Aurich" <paul () darkrain42 org> wrote:
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html In Fabian's talk, he describes an issue where Pidgin's MSN prpl does not validate the filename received in a request for Pidgin to upload a custom emoticon to a third-party, allowing an attacker to download arbitrary files on the system via directory traversal. This is fixed in source, but no release yet: http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
As this really needs an ID, please use CVE-2010-0013.
Thanks.
--
JB
Current thread:
- CVE request - pidgin MSN arbitrary file upload Paul Aurich (Jan 02)
- Re: CVE request - pidgin MSN arbitrary file upload Josh Bressers (Jan 07)
- Re: CVE request - pidgin MSN arbitrary file upload Nico Golde (Jan 07)
- Re: CVE request - pidgin MSN arbitrary file upload Steven M. Christey (Jan 09)
- Re: CVE request - pidgin MSN arbitrary file upload Nico Golde (Jan 07)
- Re: CVE request - pidgin MSN arbitrary file upload Josh Bressers (Jan 07)