CVE-2016-2371

NameCVE-2016-2371
DescriptionAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-542-1, DSA-3620-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pidgin (PTS)stretch2.12.0-1fixed
buster2.13.0-2fixed
bullseye, sid2.14.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pidginsourcewheezy2.10.10-1~deb7u2DLA-542-1
pidginsourcejessie2.11.0-0+deb8u1DSA-3620-1
pidginsource(unstable)2.11.0-1

Notes

http://www.talosintel.com/reports/TALOS-2016-0139/
http://www.pidgin.im/news/security/?id=104
https://bitbucket.org/pidgin/main/commits/f0287378203fbf496a9890bf273d96adefb93b74

Search for package or bug name: Reporting problems