Vulnerability CVE-2016-2378: Information

Description

A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.

Severity: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-2378
Published: Jan. 7, 2017
Modified: March 30, 2017
Error type identifier: CWE-119

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pidginsisyphus2.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginp102.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginp92.11.0-alt12.13.0-alt6ALT-PU-2016-1727-1166767Fixed
pidginc10f12.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginc9f22.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
USN-3031-1
  • Third Party Advisory
http://www.talosintelligence.com/reports/TALOS-2016-0120/
  • Technical Description
  • Third Party Advisory
http://www.pidgin.im/news/security/?id=94
  • Patch
  • Vendor Advisory
DSA-3620
  • Third Party Advisory
91335
  • Third Party Advisory
  • VDB Entry
GLSA-201701-38

      1. Configuration 1

        cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*
        End including
        2.10.12

        Configuration 2

        cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

        Configuration 3

        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.0
    Back to top