CVE-2016-2368

NameCVE-2016-2368
DescriptionMultiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-542-1, DSA-3620-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pidgin (PTS)jessie, jessie (lts)2.11.0-0+deb8u2fixed
stretch (security), stretch (lts), stretch2.12.0-1+deb9u1fixed
buster2.13.0-2fixed
bullseye2.14.1-1fixed
bookworm2.14.12-1fixed
sid, trixie2.14.13-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pidginsourcewheezy2.10.10-1~deb7u2DLA-542-1
pidginsourcejessie2.11.0-0+deb8u1DSA-3620-1
pidginsource(unstable)2.11.0-1

Notes

http://www.talosintel.com/reports/TALOS-2016-0136/
http://www.pidgin.im/news/security/?id=101
https://bitbucket.org/pidgin/main/commits/60f95045db42
https://bitbucket.org/pidgin/main/commits/f6efc254e947

Search for package or bug name: Reporting problems