CVE-2016-2371
Published: 23 June 2016
An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.
Notes
Author | Note |
---|---|
seth-arnold | This patch doesn't enforce upper-limits; it seems insufficient to me. |
mdeslaur | patch listed in upstream avisory is wrong, it is actually the fix for CVE-2016-2369 |
Priority
Status
Package | Release | Status |
---|---|---|
pidgin Launchpad, Ubuntu, Debian |
upstream |
Released
(2.11.0-1)
|
precise |
Released
(1:2.10.3-0ubuntu1.7)
|
|
trusty |
Released
(1:2.10.9-0ubuntu3.3)
|
|
wily |
Released
(1:2.10.11-0ubuntu4.2)
|
|
xenial |
Released
(1:2.10.12-0ubuntu5.1)
|
|
Patches: upstream: https://bitbucket.org/pidgin/main/commits/f0287378203fbf496a9890bf273d96adefb93b74 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |