Vulnerability CVE-2016-2377: Information

Description

A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.

Severity: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-2377
Published: Jan. 7, 2017
Modified: March 30, 2017
Error type identifier: CWE-119

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pidginsisyphus2.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginp102.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginp92.11.0-alt12.13.0-alt6ALT-PU-2016-1727-1166767Fixed
pidginc10f12.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginc9f22.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
USN-3031-1
  • Third Party Advisory
http://www.talosintelligence.com/reports/TALOS-2016-0119/
  • Technical Description
  • Third Party Advisory
http://www.pidgin.im/news/security/?id=93
  • Patch
  • Vendor Advisory
DSA-3620
  • Third Party Advisory
91335
  • Third Party Advisory
  • VDB Entry
GLSA-201701-38

      1. Configuration 1

        cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*
        End including
        2.10.12

        Configuration 2

        cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

        Configuration 3

        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.0
    Back to top