CVE-2010-0013

Published: Jan 9, 2010Modified: Apr 23, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.

Affected (10)

Products: Adium: Adium · Pidgin: Pidgin · Fedoraproject: Fedora · +3 more

Show all products

Adium: Adium · Pidgin: Pidgin · Fedoraproject: Fedora · Opensuse: Opensuse · Suse: Linux Enterprise, Linux Enterprise Server · Redhat: Enterprise Linux

1 product

1 product

1 product

1 product

2 products

Linux Enterprise Server

Redhat

1 product

Enterprise Linux

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Adium Adium	Version 1.3.8
Pidgin Pidgin	Version 2.6.4

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 11
Fedoraproject Fedora	Version 12

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	From 11.0 to 11.2
Suse Linux Enterprise	Version 11.0
Suse Linux Enterprise Server	Version 10 sp2
Suse Linux Enterprise Server	Version 10 sp3

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 4.0
Redhat Enterprise Linux	Version 5.0

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (48)

http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467

Source: secalert@redhat.com

Broken Link

http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f

Source: secalert@redhat.com

Broken Link

http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810

Source: secalert@redhat.com

Broken Link

http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c

Source: secalert@redhat.com

Broken Link

http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html

Source: secalert@redhat.com

Product

http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html

Source: secalert@redhat.com

Mailing List

http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html

Source: secalert@redhat.com

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

Source: secalert@redhat.com

Mailing List

http://secunia.com/advisories/37953

Source: secalert@redhat.com

Broken LinkVendor Advisory

http://secunia.com/advisories/37954

Source: secalert@redhat.com

Broken LinkVendor Advisory

http://secunia.com/advisories/37961

Source: secalert@redhat.com

Broken Link

http://secunia.com/advisories/38915

Source: secalert@redhat.com

Broken Link

http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1

Source: secalert@redhat.com

Broken Link

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1

Source: secalert@redhat.com

Broken Link

http://www.mandriva.com/security/advisories?name=MDVSA-2010:085

Source: secalert@redhat.com

Broken Link

http://www.openwall.com/lists/oss-security/2010/01/02/1

Source: secalert@redhat.com

Mailing ListPatch

http://www.openwall.com/lists/oss-security/2010/01/07/1

Source: secalert@redhat.com

Mailing List

http://www.openwall.com/lists/oss-security/2010/01/07/2

Source: secalert@redhat.com

Mailing List

http://www.vupen.com/english/advisories/2009/3662

Source: secalert@redhat.com

Permissions RequiredVendor Advisory

http://www.vupen.com/english/advisories/2009/3663

Source: secalert@redhat.com

Permissions RequiredVendor Advisory

http://www.vupen.com/english/advisories/2010/1020

Source: secalert@redhat.com

Permissions Required

https://bugzilla.redhat.com/show_bug.cgi?id=552483

Source: secalert@redhat.com

Issue TrackingPatch

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333

Source: secalert@redhat.com

Broken Link

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17620

Source: secalert@redhat.com

Broken Link

http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467