Vulnerability CVE-2016-2367: Information

Description

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.

Severity: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-2367
Published: Jan. 7, 2017
Modified: March 30, 2017
Error type identifier: CWE-200CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pidginsisyphus2.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginp102.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginp92.11.0-alt12.13.0-alt6ALT-PU-2016-1727-1166767Fixed
pidginc10f12.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed
pidginc9f22.11.0-alt12.14.12-alt1ALT-PU-2016-1727-1166767Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
USN-3031-1
  • Third Party Advisory
http://www.talosintelligence.com/reports/TALOS-2016-0135/
  • Technical Description
  • Third Party Advisory
http://www.pidgin.im/news/security/?id=100
  • Patch
  • Vendor Advisory
DSA-3620
  • Third Party Advisory
91335
  • Third Party Advisory
  • VDB Entry
GLSA-201701-38

      1. Configuration 1

        cpe:2.3:a:pidgin:pidgin:*:*:*:*:*:*:*:*
        End including
        2.10.12

        Configuration 2

        cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

        Configuration 3

        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.4.2
    Back to top