blob: 711dc1edf82c1d0cfaa441b8a70a44fd68586a76 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<glsa id="201402-27">
<title>pidgin-knotify: Arbitrary code execution</title>
<synopsis>A vulnerability in pidgin-knotify might allow remote attackers to
execute arbitrary code.
<product type="ebuild">pidgin-knotify</product>
<announced>February 26, 2014</announced>
<revised>February 26, 2014: 1</revised>
<package name="x11-plugins/pidgin-knotify" auto="yes" arch="*">
<vulnerable range="le">0.2.1</vulnerable>
<p>pidgin-knotify is a Pidgin plug-in to display message notifications in
<p>pidgin-knotify does not properly sanitize shell metacharacters from
received messages.
<impact type="high">
<p>A remote attacker could send a specially crafted instant message,
possibly resulting in execution of arbitrary code with the privileges of
the Pidgin process.
<p>There is no known workaround at this time.</p>
<p>Gentoo has discontinued support for pidgin-knotify. We recommend that
users unmerge pidgin-knotify:
# emerge --unmerge "x11-plugins/pidgin-knotify"
<uri link="">CVE-2010-3088</uri>
<metadata tag="requester" timestamp="Sat, 22 Sep 2012 18:54:54 +0000">ackle</metadata>
<metadata tag="submitter" timestamp="Wed, 26 Feb 2014 14:28:15 +0000">ackle</metadata>