CVE-2016-2371

NameCVE-2016-2371
DescriptionAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-542-1, DSA-3620-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pidgin (PTS)jessie, jessie (lts)2.11.0-0+deb8u2fixed
stretch (security), stretch (lts), stretch2.12.0-1+deb9u1fixed
buster2.13.0-2fixed
bullseye2.14.1-1fixed
bookworm2.14.12-1fixed
sid, trixie2.14.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pidginsourcewheezy2.10.10-1~deb7u2DLA-542-1
pidginsourcejessie2.11.0-0+deb8u1DSA-3620-1
pidginsource(unstable)2.11.0-1

Notes

http://www.talosintel.com/reports/TALOS-2016-0139/
http://www.pidgin.im/news/security/?id=104
https://bitbucket.org/pidgin/main/commits/f0287378203fbf496a9890bf273d96adefb93b74
Search for package or bug name: Reporting problems