CVE-2016-2368

NameCVE-2016-2368
DescriptionMultiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-542-1, DSA-3620-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pidgin (PTS)wheezy2.10.10-1~deb7u1vulnerable
wheezy (security)2.10.10-1~deb7u3fixed
jessie (security), jessie2.11.0-0+deb8u2fixed
buster, sid, stretch2.12.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pidginsource(unstable)2.11.0-1high
pidginsourcejessie2.11.0-0+deb8u1highDSA-3620-1
pidginsourcewheezy2.10.10-1~deb7u2highDLA-542-1

Notes

http://www.talosintel.com/reports/TALOS-2016-0136/
http://www.pidgin.im/news/security/?id=101
https://bitbucket.org/pidgin/main/commits/60f95045db42
https://bitbucket.org/pidgin/main/commits/f6efc254e947

Search for package or bug name: Reporting problems