CVE-2010-0013

Publication date 9 January 2010

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
pidgin	9.10 karmic	Fixed 1:2.6.2-1ubuntu7.1
	9.04 jaunty	Fixed 1:2.5.5-1ubuntu8.5
	8.10 intrepid	Fixed 1:2.5.2-0ubuntu1.6
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not in release

Notes

mdeslaur

pidgin in hardy doesn't support MSN_OBJECT_EMOTICON

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
pidgin	Upstream: http://developer.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f Upstream: http://developer.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 Upstream: http://developer.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-886-1
Pidgin vulnerabilities
18 January 2010