Note: This is an archival copy of Security Sun Alert 277450 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1022203.1.
Date of Resolved Release
A Security Vulnerability in Solaris Pidgin (see pidgin(1)) May Allow Remote Unprivileged Users to Access Arbitrary Files
A vulnerability in the MSN protocol handler of libpurple(3), the shared library that adds support for various instant messaging networks to the pidgin(1) Instant Messaging client (previously known as Gaim), may allow remote unprivileged users to retrieve arbitrary files (readable by the targeted user) on the target's computer via a custom "smiley" request.
Additional information on this issue can be found in the following document:
CVE-2010-0013 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
2. Contributing Factors
This issue can occur in the following releases:
1. Solaris 8 and Solaris 9 do not ship Pidgin and therefore are not affected by this issue. Versions of Pidgin shipped with Solaris 10 and versions of Gaim shipped with Solaris 10 and OpenSolaris are not affected by this issue.
2. This issue affects only those systems which have the Pidgin IM client of a version later than 2.5.0 and prior to 2.6.5 installed.
To determine if Pidgin is installed on the system and to check the version of Pidgin installed, the following command may be run:
$ /usr/bin/pidgin -v || echo "Pidgin IM client not installed"To determine the base build of OpenSolaris, the following command can be used:
$ uname -v
There are no predictable symptoms that would indicate this issue has been exploited to access arbitrary files.
To mitigate the impact of the described issue, remove the .purple/custom_smiley from user's home directory if it exists. This directory is not created by default, but is only created when custom "smileys" are first defined. This can be done by running the following command:
$ rm -r $HOME/.purple/custom_smiley/
This issue is addressed in the following releases:
This solution has no attachment