Re: CVE Request: pidgin-knotify remote command injection

[Josh Bressers <bressers () redhat com>]

Please use CVE-2010-3088 for this.

Thanks.

-- 
    JB


----- "Alex Legler" <a3li () gentoo org> wrote:

> Hi,
>
> we received a public report [0] in our Bugzilla about the following  
> issue in pidgin-knotify [1]:
>
> "pidgin-knotify is a pidgin plugin that displays received messages and
> other
> notices from pidgin as KDE notifications. It uses system() to invoke
> ktdialog
> and passes the unescaped messages as command line arguments. An
> attacker could
> use this to inject arbitrary commands by sending a prepared message
> via any
> protocol supported by pidgin to the victim.
> [...]
> The vulnerable system() call is located in src/pidgin-knotify.c, line
> 71-74:
>
> command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s'  
> %d", title,
> body, timeout);
> [...]
> result = system(command);"
>
> All upstream versions seem to be vulnerable. The reporter tried to  
> contact upstream a week ago without a response, and the last release 
>
> was Dec '09, so we are assuming upstream is inactive. Maybe our  
> maintainer is going to provide a patch. From what I can see only  
> Fedora ships the package besides us.
>
> Please assign a CVE id.
>
> Thanks,
> Alex
>
>
> [0] https://bugs.gentoo.org/show_bug.cgi?id=336916
> [1] http://code.google.com/p/pidgin-knotify/