CVE-2016-2371

Published: 23 June 2016

An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
pidgin
Launchpad, Ubuntu, Debian
Upstream
Released (2.11.0-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:2.10.12-0ubuntu5.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1:2.10.9-0ubuntu3.3)
Patches:
Upstream: https://bitbucket.org/pidgin/main/commits/f0287378203fbf496a9890bf273d96adefb93b74

Notes

AuthorNote
seth-arnold
This patch doesn't enforce upper-limits; it seems
insufficient to me.
mdeslaur
patch listed in upstream avisory is wrong, it is actually the
fix for CVE-2016-2369

References