pidgin/android/libpurple

Fix a bug where a remote MXit user could possibly specify a local
release-2.x.y
2013-02-11, Mark Doliner
a8aef1d340f2
Parents d1aa818fd0fc
Children 879db2a9a59c
Fix a bug where a remote MXit user could possibly specify a local
file path to be written to.

This is CVE-2013-0271.

The problem was reported to us by Chris Wysopal of Veracode.
3 files changed, 16 insertions(+), 4 deletions(-)
  • +2 -0
    ChangeLog
  • +12 -2
    libpurple/protocols/mxit/formcmds.c
  • +2 -2
    libpurple/protocols/mxit/splashscreen.c
    • --- a/ChangeLog Mon Feb 11 01:01:20 2013 -0800
    +++ b/ChangeLog Mon Feb 11 01:03:34 2013 -0800
    @@ -37,6 +37,8 @@
    Barfield) (#15217)
    MXit:
    + * Fix a bug where a remote MXit user could possibly specify a local
    + file path to be written to. (CVE-2013-0271)
    * Display farewell messages in a different colour to distinguish
    them from normal messages.
    * Add support for typing notification.
    --- a/libpurple/protocols/mxit/formcmds.c Mon Feb 11 01:01:20 2013 -0800
    +++ b/libpurple/protocols/mxit/formcmds.c Mon Feb 11 01:03:34 2013 -0800
    @@ -405,19 +405,29 @@
    guchar* rawimg;
    gsize rawimglen;
    char* dir;
    + char* escfrom;
    + char* escname;
    + char* escvalidator;
    char* filename;
    /* base64 decode the image data */
    rawimg = purple_base64_decode(tmp, &rawimglen);
    /* save it to a file */
    - dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
    + dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL);
    purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); /* ensure directory exists */
    - filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
    + escfrom = g_strdup(purple_escape_filename(from));
    + escname = g_strdup(purple_escape_filename(name));
    + escvalidator = g_strdup(purple_escape_filename(validator));
    + filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator);
    +
    purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
    g_free(dir);
    + g_free(escfrom);
    + g_free(escname);
    + g_free(escvalidator);
    g_free(filename);
    }
    --- a/libpurple/protocols/mxit/splashscreen.c Mon Feb 11 01:01:20 2013 -0800
    +++ b/libpurple/protocols/mxit/splashscreen.c Mon Feb 11 01:03:34 2013 -0800
    @@ -121,10 +121,10 @@
    splash_remove(session);
    /* Save the new splash image */
    - dir = g_strdup_printf("%s/mxit", purple_user_dir());
    + dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit", purple_user_dir());
    purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); /* ensure directory exists */
    - filename = g_strdup_printf("%s/%s.png", dir, splashId);
    + filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId));
    if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
    /* Store new splash-screen ID to settings */
    purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);