CVE-2016-2371

NameCVE-2016-2371
DescriptionAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-542-1, DSA-3620-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pidgin (PTS)wheezy2.10.10-1~deb7u1vulnerable
wheezy (security)2.10.10-1~deb7u3fixed
jessie (security), jessie2.11.0-0+deb8u2fixed
buster, sid, stretch2.12.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pidginsource(unstable)2.11.0-1medium
pidginsourcejessie2.11.0-0+deb8u1mediumDSA-3620-1
pidginsourcewheezy2.10.10-1~deb7u2mediumDLA-542-1

Notes

http://www.talosintel.com/reports/TALOS-2016-0139/
http://www.pidgin.im/news/security/?id=104
https://bitbucket.org/pidgin/main/commits/f0287378203fbf496a9890bf273d96adefb93b74

Search for package or bug name: Reporting problems