A security flaw was found in the way MXit protocol plug-in of libPurple generated temporary file used for image data storage, when processing Imagestrip MXit command. A rogue server or remote attacker could use this flaw to specify a file name, which in a partial manner would be used to generate the final local path, used for storage of image data on the local disk, possibly leading to attacker's ability to overwrite local files accessible with the privileges of the user running the pidgin executable. Upstream ticket: [1] http://pidgin.im/news/security/?id=65
Created attachment 696213 [details] Local copy of (by Pidgin upstream) proposed patch to fix the CVE-2013-0271 issue
This issue did NOT affect the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the pidgin package, as shipped with Fedora release of 16, 17, and 18.
Acknowledgements: Red Hat would like to thank the Pidgin project for reporting this issue. Upstream acknowledges Chris Wysopal of Veracode as the original issue reporter.
The versions of pidgin shipped with Red Hat Enterprise Linux 5 and 6, do not support the MXIT_CMD_IMAGESTRIP command, hence they are not vulnerable to this flaw. Statement: Not vulnerable. This issue did not affect the versions of pidgin, as shipped with Red Hat Enterprise Linux 5 and 6.
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 910826]
External References: http://www.pidgin.im/news/security/?id=65