Lucene search

Gentoo FoundationGLSA-201402-27

HistoryFeb 26, 2014 - 12:00 a.m.

pidgin-knotify: Arbitrary code execution

2014-02-2600:00:00

Gentoo Foundation

security.gentoo.org

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.035 Low

EPSS

Percentile

91.5%

JSON

Background

pidgin-knotify is a Pidgin plug-in to display message notifications in KDE.

Description

pidgin-knotify does not properly sanitize shell metacharacters from received messages.

Impact

A remote attacker could send a specially crafted instant message, possibly resulting in execution of arbitrary code with the privileges of the Pidgin process.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for pidgin-knotify. We recommend that users unmerge pidgin-knotify:

 # emerge --unmerge "x11-plugins/pidgin-knotify"

OSVersionArchitecturePackageVersionFilename
Gentooanyallx11-plugins/pidgin-knotify<= 0.2.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	x11-plugins/pidgin-knotify	<= 0.2.1	UNKNOWN

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.035 Low

EPSS

Percentile

91.5%

JSON

Related for GLSA-201402-27