For Debian 7 "Wheezy", these problems have been fixed in version
2.10.10-1~deb7u2.
We recommend that you upgrade your pidgin packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
{"nessus": [{"lastseen": "2021-01-07T09:00:48", "description": "According to the versions of the pidgin package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle can send an invalid size for an\n avatar which will trigger an out-of-bounds read\n vulnerability. This could result in a denial of service\n or copy data from memory to the file, resulting in an\n information leak if the avatar is sent to another\n user.(CVE-2016-2367)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent from the server could\n potentially result in an out-of-bounds read. A\n malicious server or man-in-the-middle attacker can send\n invalid data to trigger this\n vulnerability.(CVE-2016-2370)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a null pointer dereference. A malicious\n server or an attacker who intercepts the network\n traffic can send invalid data to trigger this\n vulnerability and cause a crash.(CVE-2016-2365)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol Pidgin. Specially crafted data\n sent via the server could potentially result in a\n buffer overflow, potentially resulting in memory\n corruption. A malicious server or an unfiltered\n malicious user can send negative length values to\n trigger this vulnerability.(CVE-2016-2378)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n an attacker who intercepts the network traffic can send\n invalid data to trigger this vulnerability and cause a\n crash.(CVE-2016-2366 )\n\n - Multiple memory corruption vulnerabilities exist in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could result in\n multiple buffer overflows, potentially resulting in\n code execution or memory disclosure.(CVE-2016-2368)\n\n - A NULL pointer dereference vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a denial of service vulnerability. A\n malicious server can send a packet starting with a NULL\n byte triggering the vulnerability.(CVE-2016-2369)\n\n - An out-of-bounds write vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could cause\n memory corruption resulting in code\n execution.(CVE-2016-2371)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n user can send an invalid mood to trigger this\n vulnerability.(CVE-2016-2373)\n\n - An exploitable memory corruption vulnerability exists\n in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT MultiMX message sent via the\n server can result in an out-of-bounds write leading to\n memory disclosure and code execution.(CVE-2016-2374)\n\n - An exploitable out-of-bounds read exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT contact information sent from the server\n can result in memory disclosure.(CVE-2016-2375)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent from the server could potentially result in\n arbitrary code execution. A malicious server or an\n attacker who intercepts the network traffic can send an\n invalid size for a packet which will trigger a buffer\n overflow.(CVE-2016-2376)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent by the server could potentially result in an\n out-of-bounds write of one byte. A malicious server can\n send a negative content-length in response to a HTTP\n request triggering the vulnerability.(CVE-2016-2377)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent to\n the server could potentially result in an out-of-bounds\n read. A user could be convinced to enter a particular\n string which would then get converted incorrectly and\n could lead to a potential out-of-bounds\n read.(CVE-2016-2380)\n\n - A directory traversal exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent from the server could potentially result in an\n overwrite of files. A malicious server or someone with\n access to the network traffic can provide an invalid\n filename for a splash image triggering the\n vulnerability.(CVE-2016-4323)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 10, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-10T00:00:00", "title": "EulerOS 2.0 SP2 : pidgin (EulerOS-SA-2019-2387)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2019-12-10T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libpurple", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2387.NASL", "href": "https://www.tenable.com/plugins/nessus/131879", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131879);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-2365\",\n \"CVE-2016-2366\",\n \"CVE-2016-2367\",\n \"CVE-2016-2368\",\n \"CVE-2016-2369\",\n \"CVE-2016-2370\",\n \"CVE-2016-2371\",\n \"CVE-2016-2373\",\n \"CVE-2016-2374\",\n \"CVE-2016-2375\",\n \"CVE-2016-2376\",\n \"CVE-2016-2377\",\n \"CVE-2016-2378\",\n \"CVE-2016-2380\",\n \"CVE-2016-4323\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : pidgin (EulerOS-SA-2019-2387)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the pidgin package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle can send an invalid size for an\n avatar which will trigger an out-of-bounds read\n vulnerability. This could result in a denial of service\n or copy data from memory to the file, resulting in an\n information leak if the avatar is sent to another\n user.(CVE-2016-2367)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent from the server could\n potentially result in an out-of-bounds read. A\n malicious server or man-in-the-middle attacker can send\n invalid data to trigger this\n vulnerability.(CVE-2016-2370)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a null pointer dereference. A malicious\n server or an attacker who intercepts the network\n traffic can send invalid data to trigger this\n vulnerability and cause a crash.(CVE-2016-2365)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol Pidgin. Specially crafted data\n sent via the server could potentially result in a\n buffer overflow, potentially resulting in memory\n corruption. A malicious server or an unfiltered\n malicious user can send negative length values to\n trigger this vulnerability.(CVE-2016-2378)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n an attacker who intercepts the network traffic can send\n invalid data to trigger this vulnerability and cause a\n crash.(CVE-2016-2366 )\n\n - Multiple memory corruption vulnerabilities exist in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could result in\n multiple buffer overflows, potentially resulting in\n code execution or memory disclosure.(CVE-2016-2368)\n\n - A NULL pointer dereference vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a denial of service vulnerability. A\n malicious server can send a packet starting with a NULL\n byte triggering the vulnerability.(CVE-2016-2369)\n\n - An out-of-bounds write vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could cause\n memory corruption resulting in code\n execution.(CVE-2016-2371)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n user can send an invalid mood to trigger this\n vulnerability.(CVE-2016-2373)\n\n - An exploitable memory corruption vulnerability exists\n in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT MultiMX message sent via the\n server can result in an out-of-bounds write leading to\n memory disclosure and code execution.(CVE-2016-2374)\n\n - An exploitable out-of-bounds read exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT contact information sent from the server\n can result in memory disclosure.(CVE-2016-2375)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent from the server could potentially result in\n arbitrary code execution. A malicious server or an\n attacker who intercepts the network traffic can send an\n invalid size for a packet which will trigger a buffer\n overflow.(CVE-2016-2376)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent by the server could potentially result in an\n out-of-bounds write of one byte. A malicious server can\n send a negative content-length in response to a HTTP\n request triggering the vulnerability.(CVE-2016-2377)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent to\n the server could potentially result in an out-of-bounds\n read. A user could be convinced to enter a particular\n string which would then get converted incorrectly and\n could lead to a potential out-of-bounds\n read.(CVE-2016-2380)\n\n - A directory traversal exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent from the server could potentially result in an\n overwrite of files. A malicious server or someone with\n access to the network traffic can provide an invalid\n filename for a splash image triggering the\n vulnerability.(CVE-2016-4323)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2387\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?605161f0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pidgin packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libpurple-2.10.11-5.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:01:39", "description": "According to the versions of the pidgin package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent by the server could potentially result in an\n out-of-bounds write of one byte. A malicious server can\n send a negative content-length in response to a HTTP\n request triggering the vulnerability.(CVE-2016-2377)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent from the server could potentially result in\n arbitrary code execution. A malicious server or an\n attacker who intercepts the network traffic can send an\n invalid size for a packet which will trigger a buffer\n overflow.(CVE-2016-2376)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol Pidgin. Specially crafted data\n sent via the server could potentially result in a\n buffer overflow, potentially resulting in memory\n corruption. A malicious server or an unfiltered\n malicious user can send negative length values to\n trigger this vulnerability.(CVE-2016-2378)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent from the server could\n potentially result in an out-of-bounds read. A\n malicious server or man-in-the-middle attacker can send\n invalid data to trigger this\n vulnerability.(CVE-2016-2370)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a null pointer dereference. A malicious\n server or an attacker who intercepts the network\n traffic can send invalid data to trigger this\n vulnerability and cause a crash.(CVE-2016-2365)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n an attacker who intercepts the network traffic can send\n invalid data to trigger this vulnerability and cause a\n crash.(CVE-2016-2366)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n user can send an invalid mood to trigger this\n vulnerability.(CVE-2016-2373)\n\n - A directory traversal exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent from the server could potentially result in an\n overwrite of files. A malicious server or someone with\n access to the network traffic can provide an invalid\n filename for a splash image triggering the\n vulnerability.(CVE-2016-4323)\n\n - A NULL pointer dereference vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a denial of service vulnerability. A\n malicious server can send a packet starting with a NULL\n byte triggering the vulnerability.(CVE-2016-2369)\n\n - An exploitable memory corruption vulnerability exists\n in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT MultiMX message sent via the\n server can result in an out-of-bounds write leading to\n memory disclosure and code execution.(CVE-2016-2374)\n\n - An exploitable out-of-bounds read exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT contact information sent from the server\n can result in memory disclosure.(CVE-2016-2375)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent to\n the server could potentially result in an out-of-bounds\n read. A user could be convinced to enter a particular\n string which would then get converted incorrectly and\n could lead to a potential out-of-bounds\n read.(CVE-2016-2380)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle attacker can send an invalid size for\n a file transfer which will trigger an out-of-bounds\n read vulnerability. This could result in a denial of\n service or copy data from memory to the file, resulting\n in an information leak if the file is sent to another\n user.(CVE-2016-2372)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle can send an invalid size for an\n avatar which will trigger an out-of-bounds read\n vulnerability. This could result in a denial of service\n or copy data from memory to the file, resulting in an\n information leak if the avatar is sent to another\n user.(CVE-2016-2367)\n\n - An out-of-bounds write vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could cause\n memory corruption resulting in code\n execution.(CVE-2016-2371)\n\n - Multiple memory corruption vulnerabilities exist in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could result in\n multiple buffer overflows, potentially resulting in\n code execution or memory disclosure.(CVE-2016-2368)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 10, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-18T00:00:00", "title": "EulerOS 2.0 SP3 : pidgin (EulerOS-SA-2019-2650)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2019-12-18T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libpurple", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2650.NASL", "href": "https://www.tenable.com/plugins/nessus/132185", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132185);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-2365\",\n \"CVE-2016-2366\",\n \"CVE-2016-2367\",\n \"CVE-2016-2368\",\n \"CVE-2016-2369\",\n \"CVE-2016-2370\",\n \"CVE-2016-2371\",\n \"CVE-2016-2372\",\n \"CVE-2016-2373\",\n \"CVE-2016-2374\",\n \"CVE-2016-2375\",\n \"CVE-2016-2376\",\n \"CVE-2016-2377\",\n \"CVE-2016-2378\",\n \"CVE-2016-2380\",\n \"CVE-2016-4323\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : pidgin (EulerOS-SA-2019-2650)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the pidgin package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent by the server could potentially result in an\n out-of-bounds write of one byte. A malicious server can\n send a negative content-length in response to a HTTP\n request triggering the vulnerability.(CVE-2016-2377)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol in Pidgin. Specially crafted MXIT\n data sent from the server could potentially result in\n arbitrary code execution. A malicious server or an\n attacker who intercepts the network traffic can send an\n invalid size for a packet which will trigger a buffer\n overflow.(CVE-2016-2376)\n\n - A buffer overflow vulnerability exists in the handling\n of the MXIT protocol Pidgin. Specially crafted data\n sent via the server could potentially result in a\n buffer overflow, potentially resulting in memory\n corruption. A malicious server or an unfiltered\n malicious user can send negative length values to\n trigger this vulnerability.(CVE-2016-2378)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent from the server could\n potentially result in an out-of-bounds read. A\n malicious server or man-in-the-middle attacker can send\n invalid data to trigger this\n vulnerability.(CVE-2016-2370)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a null pointer dereference. A malicious\n server or an attacker who intercepts the network\n traffic can send invalid data to trigger this\n vulnerability and cause a crash.(CVE-2016-2365)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n an attacker who intercepts the network traffic can send\n invalid data to trigger this vulnerability and cause a\n crash.(CVE-2016-2366)\n\n - A denial of service vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious server or\n user can send an invalid mood to trigger this\n vulnerability.(CVE-2016-2373)\n\n - A directory traversal exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent from the server could potentially result in an\n overwrite of files. A malicious server or someone with\n access to the network traffic can provide an invalid\n filename for a splash image triggering the\n vulnerability.(CVE-2016-4323)\n\n - A NULL pointer dereference vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in a denial of service vulnerability. A\n malicious server can send a packet starting with a NULL\n byte triggering the vulnerability.(CVE-2016-2369)\n\n - An exploitable memory corruption vulnerability exists\n in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT MultiMX message sent via the\n server can result in an out-of-bounds write leading to\n memory disclosure and code execution.(CVE-2016-2374)\n\n - An exploitable out-of-bounds read exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT contact information sent from the server\n can result in memory disclosure.(CVE-2016-2375)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent to\n the server could potentially result in an out-of-bounds\n read. A user could be convinced to enter a particular\n string which would then get converted incorrectly and\n could lead to a potential out-of-bounds\n read.(CVE-2016-2380)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle attacker can send an invalid size for\n a file transfer which will trigger an out-of-bounds\n read vulnerability. This could result in a denial of\n service or copy data from memory to the file, resulting\n in an information leak if the file is sent to another\n user.(CVE-2016-2372)\n\n - An information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle can send an invalid size for an\n avatar which will trigger an out-of-bounds read\n vulnerability. This could result in a denial of service\n or copy data from memory to the file, resulting in an\n information leak if the avatar is sent to another\n user.(CVE-2016-2367)\n\n - An out-of-bounds write vulnerability exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could cause\n memory corruption resulting in code\n execution.(CVE-2016-2371)\n\n - Multiple memory corruption vulnerabilities exist in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could result in\n multiple buffer overflows, potentially resulting in\n code execution or memory disclosure.(CVE-2016-2368)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2650\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?87d81564\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pidgin packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libpurple-2.10.11-5.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:43:53", "description": "Numerous security issues have been identified and fixed in Pidgin in\nDebian/Wheezy.\n\nCVE-2016-2365\n\nMXIT Markup Command Denial of Service Vulnerability\n\nCVE-2016-2366\n\nMXIT Table Command Denial of Service Vulnerability\n\nCVE-2016-2367\n\nMXIT Avatar Length Memory Disclosure Vulnerability\n\nCVE-2016-2368\n\nMXIT g_snprintf Multiple Buffer Overflow Vulnerabilities\n\nCVE-2016-2369\n\nMXIT CP_SOCK_REC_TERM Denial of Service Vulnerability\n\nCVE-2016-2370\n\nMXIT Custom Resource Denial of Service Vulnerability\n\nCVE-2016-2371\n\nMXIT Extended Profiles Code Execution Vulnerability\n\nCVE-2016-2372\n\nMXIT File Transfer Length Memory Disclosure Vulnerability\n\nCVE-2016-2373\n\nMXIT Contact Mood Denial of Service Vulnerability\n\nCVE-2016-2374\n\nMXIT MultiMX Message Code Execution Vulnerability\n\nCVE-2016-2375\n\nMXIT Suggested Contacts Memory Disclosure Vulnerability\n\nCVE-2016-2376\n\nMXIT read stage 0x3 Code Execution Vulnerability\n\nCVE-2016-2377\n\nMXIT HTTP Content-Length Buffer Overflow Vulnerability\n\nCVE-2016-2378\n\nMXIT get_utf8_string Code Execution Vulnerability\n\nCVE-2016-2380\n\nMXIT mxit_convert_markup_tx Information Leak Vulnerability\n\nCVE-2016-4323\n\nMXIT Splash Image Arbitrary File Overwrite Vulnerability\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.10.10-1~deb7u2.\n\nWe recommend that you upgrade your pidgin packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 24, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-05T00:00:00", "title": "Debian DLA-542-1 : pidgin security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2016-07-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:finch", "p-cpe:/a:debian:debian_linux:libpurple-dev", "p-cpe:/a:debian:debian_linux:libpurple0", "p-cpe:/a:debian:debian_linux:pidgin-data", "p-cpe:/a:debian:debian_linux:libpurple-bin", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:pidgin-dev", "p-cpe:/a:debian:debian_linux:pidgin-dbg", "p-cpe:/a:debian:debian_linux:pidgin", "p-cpe:/a:debian:debian_linux:finch-dev"], "id": "DEBIAN_DLA-542.NASL", "href": "https://www.tenable.com/plugins/nessus/91922", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-542-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91922);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n\n script_name(english:\"Debian DLA-542-1 : pidgin security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Numerous security issues have been identified and fixed in Pidgin in\nDebian/Wheezy.\n\nCVE-2016-2365\n\nMXIT Markup Command Denial of Service Vulnerability\n\nCVE-2016-2366\n\nMXIT Table Command Denial of Service Vulnerability\n\nCVE-2016-2367\n\nMXIT Avatar Length Memory Disclosure Vulnerability\n\nCVE-2016-2368\n\nMXIT g_snprintf Multiple Buffer Overflow Vulnerabilities\n\nCVE-2016-2369\n\nMXIT CP_SOCK_REC_TERM Denial of Service Vulnerability\n\nCVE-2016-2370\n\nMXIT Custom Resource Denial of Service Vulnerability\n\nCVE-2016-2371\n\nMXIT Extended Profiles Code Execution Vulnerability\n\nCVE-2016-2372\n\nMXIT File Transfer Length Memory Disclosure Vulnerability\n\nCVE-2016-2373\n\nMXIT Contact Mood Denial of Service Vulnerability\n\nCVE-2016-2374\n\nMXIT MultiMX Message Code Execution Vulnerability\n\nCVE-2016-2375\n\nMXIT Suggested Contacts Memory Disclosure Vulnerability\n\nCVE-2016-2376\n\nMXIT read stage 0x3 Code Execution Vulnerability\n\nCVE-2016-2377\n\nMXIT HTTP Content-Length Buffer Overflow Vulnerability\n\nCVE-2016-2378\n\nMXIT get_utf8_string Code Execution Vulnerability\n\nCVE-2016-2380\n\nMXIT mxit_convert_markup_tx Information Leak Vulnerability\n\nCVE-2016-4323\n\nMXIT Splash Image Arbitrary File Overwrite Vulnerability\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.10.10-1~deb7u2.\n\nWe recommend that you upgrade your pidgin packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/07/msg00003.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/pidgin\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:finch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:finch-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpurple-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpurple-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpurple0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pidgin-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pidgin-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pidgin-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"finch\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"finch-dev\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpurple-bin\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpurple-dev\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpurple0\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"pidgin\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"pidgin-data\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"pidgin-dbg\", reference:\"2.10.10-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"pidgin-dev\", reference:\"2.10.10-1~deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:49:42", "description": "Yves Younan of Cisco Talos discovered several vulnerabilities in the\nMXit protocol support in pidgin, a multi-protocol instant messaging\nclient. A remote attacker can take advantage of these flaws to cause a\ndenial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.", "edition": 30, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-18T00:00:00", "title": "Debian DSA-3620-1 : pidgin - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2016-07-18T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:pidgin"], "id": "DEBIAN_DSA-3620.NASL", "href": "https://www.tenable.com/plugins/nessus/92328", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3620. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92328);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_xref(name:\"DSA\", value:\"3620\");\n\n script_name(english:\"Debian DSA-3620-1 : pidgin - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yves Younan of Cisco Talos discovered several vulnerabilities in the\nMXit protocol support in pidgin, a multi-protocol instant messaging\nclient. A remote attacker can take advantage of these flaws to cause a\ndenial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/pidgin\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3620\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the pidgin packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 2.11.0-0+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"finch\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"finch-dev\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpurple-bin\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpurple-dev\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpurple0\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"pidgin\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"pidgin-data\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"pidgin-dbg\", reference:\"2.11.0-0+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"pidgin-dev\", reference:\"2.11.0-0+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T07:21:35", "description": "Yves Younan discovered that Pidgin contained multiple issues in the\nMXit protocol support. A remote attacker could use this issue to cause\nPidgin to crash, resulting in a denial of service, or possibly execute\narbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 34, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-13T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : pidgin vulnerabilities (USN-3031-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libpurple0", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3031-1.NASL", "href": "https://www.tenable.com/plugins/nessus/92033", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3031-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92033);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_xref(name:\"USN\", value:\"3031-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : pidgin vulnerabilities (USN-3031-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yves Younan discovered that Pidgin contained multiple issues in the\nMXit protocol support. A remote attacker could use this issue to cause\nPidgin to crash, resulting in a denial of service, or possibly execute\narbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3031-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libpurple0 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpurple0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libpurple0\", pkgver:\"1:2.10.3-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libpurple0\", pkgver:\"1:2.10.9-0ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"libpurple0\", pkgver:\"1:2.10.11-0ubuntu4.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpurple0\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:00:01", "description": "According to the versions of the pidgin package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Pidgin is an instant messaging program which can log in\n to multiple accounts on multiple instant messaging\n networks simultaneously.Security Fix(es):A buffer\n overflow vulnerability exists in the handling of the\n MXIT protocol Pidgin. Specially crafted data sent via\n the server could potentially result in a buffer\n overflow, potentially resulting in memory corruption. A\n malicious server or an unfiltered malicious user can\n send negative length values to trigger this\n vulnerability.(CVE-2016-2378)A buffer overflow\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n from the server could potentially result in arbitrary\n code execution. A malicious server or an attacker who\n intercepts the network traffic can send an invalid size\n for a packet which will trigger a buffer\n overflow.(CVE-2016-2376)An exploitable out-of-bounds\n read exists in the handling of the MXIT protocol in\n Pidgin. Specially crafted MXIT contact information sent\n from the server can result in memory\n disclosure.(CVE-2016-2375)An exploitable memory\n corruption vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT MultiMX\n message sent via the server can result in an\n out-of-bounds write leading to memory disclosure and\n code execution.(CVE-2016-2374)A buffer overflow\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent by\n the server could potentially result in an out-of-bounds\n write of one byte. A malicious server can send a\n negative content-length in response to a HTTP request\n triggering the vulnerability.(CVE-2016-2377)A denial of\n service vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent via the server could potentially result in an\n out-of-bounds read. A malicious server or user can send\n an invalid mood to trigger this\n vulnerability.(CVE-2016-2373)An out-of-bounds write\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could cause memory corruption resulting\n in code execution.(CVE-2016-2371)A directory traversal\n exists in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT data sent from the server could\n potentially result in an overwrite of files. A\n malicious server or someone with access to the network\n traffic can provide an invalid filename for a splash\n image triggering the vulnerability.(CVE-2016-4323)An\n information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent to\n the server could potentially result in an out-of-bounds\n read. A user could be convinced to enter a particular\n string which would then get converted incorrectly and\n could lead to a potential out-of-bounds\n read.(CVE-2016-2380)An information leak exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious user,\n server, or man-in-the-middle attacker can send an\n invalid size for a file transfer which will trigger an\n out-of-bounds read vulnerability. This could result in\n a denial of service or copy data from memory to the\n file, resulting in an information leak if the file is\n sent to another user.(CVE-2016-2372)A NULL pointer\n dereference vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent via the server could potentially result in a\n denial of service vulnerability. A malicious server can\n send a packet starting with a NULL byte triggering the\n vulnerability.(CVE-2016-2369)A denial of service\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n from the server could potentially result in an\n out-of-bounds read. A malicious server or\n man-in-the-middle attacker can send invalid data to\n trigger this vulnerability.(CVE-2016-2370)A denial of\n service vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent via the server could potentially result in a null\n pointer dereference. A malicious server or an attacker\n who intercepts the network traffic can send invalid\n data to trigger this vulnerability and cause a\n crash.(CVE-2016-2365)A denial of service vulnerability\n exists in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT data sent via the server could\n potentially result in an out-of-bounds read. A\n malicious server or an attacker who intercepts the\n network traffic can send invalid data to trigger this\n vulnerability and cause a crash.(CVE-2016-2366)An\n information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle can send an invalid size for an\n avatar which will trigger an out-of-bounds read\n vulnerability. This could result in a denial of service\n or copy data from memory to the file, resulting in an\n information leak if the avatar is sent to another\n user.(CVE-2016-2367)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-11-08T00:00:00", "title": "EulerOS 2.0 SP5 : pidgin (EulerOS-SA-2019-2222)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2019-11-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libpurple", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2222.NASL", "href": "https://www.tenable.com/plugins/nessus/130684", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130684);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-2365\",\n \"CVE-2016-2366\",\n \"CVE-2016-2367\",\n \"CVE-2016-2369\",\n \"CVE-2016-2370\",\n \"CVE-2016-2371\",\n \"CVE-2016-2372\",\n \"CVE-2016-2373\",\n \"CVE-2016-2374\",\n \"CVE-2016-2375\",\n \"CVE-2016-2376\",\n \"CVE-2016-2377\",\n \"CVE-2016-2378\",\n \"CVE-2016-2380\",\n \"CVE-2016-4323\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : pidgin (EulerOS-SA-2019-2222)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the pidgin package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Pidgin is an instant messaging program which can log in\n to multiple accounts on multiple instant messaging\n networks simultaneously.Security Fix(es):A buffer\n overflow vulnerability exists in the handling of the\n MXIT protocol Pidgin. Specially crafted data sent via\n the server could potentially result in a buffer\n overflow, potentially resulting in memory corruption. A\n malicious server or an unfiltered malicious user can\n send negative length values to trigger this\n vulnerability.(CVE-2016-2378)A buffer overflow\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n from the server could potentially result in arbitrary\n code execution. A malicious server or an attacker who\n intercepts the network traffic can send an invalid size\n for a packet which will trigger a buffer\n overflow.(CVE-2016-2376)An exploitable out-of-bounds\n read exists in the handling of the MXIT protocol in\n Pidgin. Specially crafted MXIT contact information sent\n from the server can result in memory\n disclosure.(CVE-2016-2375)An exploitable memory\n corruption vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT MultiMX\n message sent via the server can result in an\n out-of-bounds write leading to memory disclosure and\n code execution.(CVE-2016-2374)A buffer overflow\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent by\n the server could potentially result in an out-of-bounds\n write of one byte. A malicious server can send a\n negative content-length in response to a HTTP request\n triggering the vulnerability.(CVE-2016-2377)A denial of\n service vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent via the server could potentially result in an\n out-of-bounds read. A malicious server or user can send\n an invalid mood to trigger this\n vulnerability.(CVE-2016-2373)An out-of-bounds write\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could cause memory corruption resulting\n in code execution.(CVE-2016-2371)A directory traversal\n exists in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT data sent from the server could\n potentially result in an overwrite of files. A\n malicious server or someone with access to the network\n traffic can provide an invalid filename for a splash\n image triggering the vulnerability.(CVE-2016-4323)An\n information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent to\n the server could potentially result in an out-of-bounds\n read. A user could be convinced to enter a particular\n string which would then get converted incorrectly and\n could lead to a potential out-of-bounds\n read.(CVE-2016-2380)An information leak exists in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could potentially\n result in an out-of-bounds read. A malicious user,\n server, or man-in-the-middle attacker can send an\n invalid size for a file transfer which will trigger an\n out-of-bounds read vulnerability. This could result in\n a denial of service or copy data from memory to the\n file, resulting in an information leak if the file is\n sent to another user.(CVE-2016-2372)A NULL pointer\n dereference vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent via the server could potentially result in a\n denial of service vulnerability. A malicious server can\n send a packet starting with a NULL byte triggering the\n vulnerability.(CVE-2016-2369)A denial of service\n vulnerability exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n from the server could potentially result in an\n out-of-bounds read. A malicious server or\n man-in-the-middle attacker can send invalid data to\n trigger this vulnerability.(CVE-2016-2370)A denial of\n service vulnerability exists in the handling of the\n MXIT protocol in Pidgin. Specially crafted MXIT data\n sent via the server could potentially result in a null\n pointer dereference. A malicious server or an attacker\n who intercepts the network traffic can send invalid\n data to trigger this vulnerability and cause a\n crash.(CVE-2016-2365)A denial of service vulnerability\n exists in the handling of the MXIT protocol in Pidgin.\n Specially crafted MXIT data sent via the server could\n potentially result in an out-of-bounds read. A\n malicious server or an attacker who intercepts the\n network traffic can send invalid data to trigger this\n vulnerability and cause a crash.(CVE-2016-2366)An\n information leak exists in the handling of the MXIT\n protocol in Pidgin. Specially crafted MXIT data sent\n via the server could potentially result in an\n out-of-bounds read. A malicious user, server, or\n man-in-the-middle can send an invalid size for an\n avatar which will trigger an out-of-bounds read\n vulnerability. This could result in a denial of service\n or copy data from memory to the file, resulting in an\n information leak if the avatar is sent to another\n user.(CVE-2016-2367)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2222\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?02e21c73\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pidgin packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libpurple-2.10.11-7.h4.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T05:20:24", "description": "The version of Pidgin installed on the remote Windows host is prior to \n2.11.0. It is, therefore, affected by multiple vulnerabilities :\n\n - A NULL pointer dereference flaw exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT data, to cause a denial of service.\n (CVE-2016-2365)\n\n - Multiple out-of-bounds read errors exist when handling\n the MXIT protocol. A remote attacker can exploit these,\n via crafted MXIT data, to cause a denial of service.\n (CVE-2016-2366, CVE-2016-2370)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n an invalid size for an avatar, to disclose memory\n contents or cause a denial of service. (CVE-2016-2367)\n\n - Multiple memory corruption issues exist when handling\n the MXIT protocol. A remote attacker can exploit these,\n via crafted MXIT data, to disclose memory contents or\n execute arbitrary code. (CVE-2016-2368)\n\n - A NULL pointer dereference flaw exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT packet starting with a NULL byte, to cause\n a denial of service. (CVE-2016-2369)\n\n - An out-of-bounds write error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT data, to corrupt memory, resulting in the\n execution of arbitrary code. (CVE-2016-2371)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n an invalid size for a file transfer, to disclose memory\n contents or cause a denial of service. (CVE-2016-2372)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, by\n sending an invalid mood, to cause a denial of service.\n (CVE-2016-2373)\n\n - An out-of-bounds write error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT MultiMX messages, to disclose memory\n contents or execute arbitrary code. (CVE-2016-2374)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT contact information, to disclose memory\n contents. (CVE-2016-2375)\n\n - A buffer overflow condition exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n a crafted packet having an invalid size, to execute\n arbitrary code. (CVE-2016-2376)\n\n - An out-of-bounds write error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n a negative content-length response to an HTTP request,\n to cause a denial of service. (CVE-2016-2377)\n\n - A buffer overflow condition exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted data using negative length values, to cause a\n denial of service. (CVE-2016-2378)\n\n - A flaw exists in MXIT due to using weak cryptography\n when encrypting a user password. A man-in-the-middle\n attacker able to access login messages can exploit this\n to impersonate the user. (CVE-2016-2379)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n a crafted local message, to disclose memory contents.\n (CVE-2016-2380)\n\n - A directory traversal flaw exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT data using an invalid file name for a\n splash image, to overwrite files. (CVE-2016-4323)\n\n - An unspecified vulnerability exists due to X.509\n certificates not being properly imported when using\n GnuTLS. No other details are available.", "edition": 30, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-23T00:00:00", "title": "Pidgin < 2.11.0 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2379", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:pidgin:pidgin"], "id": "PIDGIN_2_11_0.NASL", "href": "https://www.tenable.com/plugins/nessus/91784", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91784);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-2365\",\n \"CVE-2016-2366\",\n \"CVE-2016-2367\",\n \"CVE-2016-2368\",\n \"CVE-2016-2369\",\n \"CVE-2016-2370\",\n \"CVE-2016-2371\",\n \"CVE-2016-2372\",\n \"CVE-2016-2373\",\n \"CVE-2016-2374\",\n \"CVE-2016-2375\",\n \"CVE-2016-2376\",\n \"CVE-2016-2377\",\n \"CVE-2016-2378\",\n \"CVE-2016-2379\",\n \"CVE-2016-2380\",\n \"CVE-2016-4323\"\n );\n\n script_name(english:\"Pidgin < 2.11.0 Multiple Vulnerabilities\");\n script_summary(english:\"Performs a version check.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An instant messaging client installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Pidgin installed on the remote Windows host is prior to \n2.11.0. It is, therefore, affected by multiple vulnerabilities :\n\n - A NULL pointer dereference flaw exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT data, to cause a denial of service.\n (CVE-2016-2365)\n\n - Multiple out-of-bounds read errors exist when handling\n the MXIT protocol. A remote attacker can exploit these,\n via crafted MXIT data, to cause a denial of service.\n (CVE-2016-2366, CVE-2016-2370)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n an invalid size for an avatar, to disclose memory\n contents or cause a denial of service. (CVE-2016-2367)\n\n - Multiple memory corruption issues exist when handling\n the MXIT protocol. A remote attacker can exploit these,\n via crafted MXIT data, to disclose memory contents or\n execute arbitrary code. (CVE-2016-2368)\n\n - A NULL pointer dereference flaw exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT packet starting with a NULL byte, to cause\n a denial of service. (CVE-2016-2369)\n\n - An out-of-bounds write error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT data, to corrupt memory, resulting in the\n execution of arbitrary code. (CVE-2016-2371)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n an invalid size for a file transfer, to disclose memory\n contents or cause a denial of service. (CVE-2016-2372)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, by\n sending an invalid mood, to cause a denial of service.\n (CVE-2016-2373)\n\n - An out-of-bounds write error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT MultiMX messages, to disclose memory\n contents or execute arbitrary code. (CVE-2016-2374)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT contact information, to disclose memory\n contents. (CVE-2016-2375)\n\n - A buffer overflow condition exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n a crafted packet having an invalid size, to execute\n arbitrary code. (CVE-2016-2376)\n\n - An out-of-bounds write error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n a negative content-length response to an HTTP request,\n to cause a denial of service. (CVE-2016-2377)\n\n - A buffer overflow condition exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted data using negative length values, to cause a\n denial of service. (CVE-2016-2378)\n\n - A flaw exists in MXIT due to using weak cryptography\n when encrypting a user password. A man-in-the-middle\n attacker able to access login messages can exploit this\n to impersonate the user. (CVE-2016-2379)\n\n - An out-of-bounds read error exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n a crafted local message, to disclose memory contents.\n (CVE-2016-2380)\n\n - A directory traversal flaw exists when handling the\n MXIT protocol. A remote attacker can exploit this, via\n crafted MXIT data using an invalid file name for a\n splash image, to overwrite files. (CVE-2016-4323)\n\n - An unspecified vulnerability exists due to X.509\n certificates not being properly imported when using\n GnuTLS. No other details are available.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=91\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=92\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=93\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=94\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=95\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=96\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=97\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=98\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=99\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=100\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=101\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=102\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=103\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=104\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=105\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=106\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=107\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.pidgin.im/news/security/?id=108\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pidgin version 2.11.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-2368\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pidgin:pidgin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pidgin_installed.nasl\");\n script_require_keys(\"SMB/Pidgin/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\npath = get_kb_item_or_exit(\"SMB/Pidgin/Path\");\nversion = get_kb_item_or_exit(\"SMB/Pidgin/Version\");\nfixed_version = '2.11.0';\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (empty_or_null(port)) port = 445;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n\n security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Pidgin\", version, path);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:05:38", "description": "The remote host is affected by the vulnerability described in GLSA-201701-38\n(Pidgin: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Pidgin. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker might send specially crafted data using the MXit\n protocol, possibly resulting in the remote execution of arbitrary code\n with the privileges of the process, a Denial of Service condition, or in\n leaking confidential information.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-17T00:00:00", "title": "GLSA-201701-38 : Pidgin: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2379", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-1000030", "CVE-2016-2366"], "modified": "2017-01-17T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:pidgin"], "id": "GENTOO_GLSA-201701-38.NASL", "href": "https://www.tenable.com/plugins/nessus/96542", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-38.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96542);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1000030\", \"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2379\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_xref(name:\"GLSA\", value:\"201701-38\");\n\n script_name(english:\"GLSA-201701-38 : Pidgin: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-38\n(Pidgin: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Pidgin. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker might send specially crafted data using the MXit\n protocol, possibly resulting in the remote execution of arbitrary code\n with the privileges of the process, a Denial of Service condition, or in\n leaking confidential information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-38\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Pidgin users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-im/pidgin-2.11.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-im/pidgin\", unaffected:make_list(\"ge 2.11.0\"), vulnerable:make_list(\"lt 2.11.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Pidgin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:59:22", "description": "According to the version of the pidgin package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Multiple memory corruption vulnerabilities exist in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could result in\n multiple buffer overflows, potentially resulting in\n code execution or memory disclosure. (CVE-2016-2368)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-24T00:00:00", "title": "EulerOS 2.0 SP5 : pidgin (EulerOS-SA-2019-1985)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2368"], "modified": "2019-09-24T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libpurple", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1985.NASL", "href": "https://www.tenable.com/plugins/nessus/129179", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129179);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-2368\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : pidgin (EulerOS-SA-2019-1985)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the pidgin package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Multiple memory corruption vulnerabilities exist in the\n handling of the MXIT protocol in Pidgin. Specially\n crafted MXIT data sent via the server could result in\n multiple buffer overflows, potentially resulting in\n code execution or memory disclosure. (CVE-2016-2368)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1985\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5da09ba5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pidgin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libpurple-2.10.11-7.h2.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-02-05T16:41:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192387", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192387", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-2387)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2387\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:52:44 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-2387)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2387\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2387\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'pidgin' package(s) announced via the EulerOS-SA-2019-2387 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.(CVE-2016-2367)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability.(CVE-2016-2370)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.(CVE-2016-2365)\n\nA buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.(CVE-2016-2378)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.(CVE-2016-2366)\n\nMultiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.(CVE-2016-2368)\n\nA NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.(CVE-2016-2369)\n\nAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.(CVE-2016-2371)\n\nA denial ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'pidgin' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libpurple\", rpm:\"libpurple~2.10.11~5.h3\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:54:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "Yves Younan of Cisco Talos discovered\nseveral vulnerabilities in the MXit protocol support in pidgin, a multi-protocol\ninstant messaging client. A remote attacker can take advantage of these flaws to\ncause a denial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.", "modified": "2017-07-07T00:00:00", "published": "2016-07-15T00:00:00", "id": "OPENVAS:703620", "href": "http://plugins.openvas.org/nasl.php?oid=703620", "type": "openvas", "title": "Debian Security Advisory DSA 3620-1 (pidgin - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3620.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3620-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703620);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\",\n \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\",\n \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\",\n \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_name(\"Debian Security Advisory DSA 3620-1 (pidgin - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-07-15 00:00:00 +0200 (Fri, 15 Jul 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3620.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"pidgin on Debian Linux\");\n script_tag(name: \"insight\", value: \"Pidgin is a graphical, modular instant\nmessaging client capable of using multiple networks at once. Currently supported\nare: AIM/ICQ, Yahoo!, MSN, IRC, Jabber/XMPP/Google Talk, Napster, Zephyr, Gadu-Gadu,\nBonjour, Groupwise, Sametime, SIMPLE, MySpaceIM, and MXit.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 2.11.0-0+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 2.11.0-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.11.0-1.\n\nWe recommend that you upgrade your pidgin packages.\");\n script_tag(name: \"summary\", value: \"Yves Younan of Cisco Talos discovered\nseveral vulnerabilities in the MXit protocol support in pidgin, a multi-protocol\ninstant messaging client. A remote attacker can take advantage of these flaws to\ncause a denial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.11.0-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.11.0-0+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:34:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-07-13T00:00:00", "id": "OPENVAS:1361412562310842828", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842828", "type": "openvas", "title": "Ubuntu Update for pidgin USN-3031-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for pidgin USN-3031-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842828\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-13 05:34:08 +0200 (Wed, 13 Jul 2016)\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\",\n \t\t\"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\",\n\t\t\"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\",\n\t\t\"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for pidgin USN-3031-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'pidgin'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yves Younan discovered that Pidgin contained\n multiple issues in the MXit protocol support. A remote attacker could use this\n issue to cause Pidgin to crash, resulting in a denial of service, or possibly\n execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"pidgin on Ubuntu 15.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3031-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3031-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"1:2.10.9-0ubuntu3.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"1:2.10.3-0ubuntu1.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"1:2.10.11-0ubuntu4.2\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "Yves Younan of Cisco Talos discovered\nseveral vulnerabilities in the MXit protocol support in pidgin, a multi-protocol\ninstant messaging client. A remote attacker can take advantage of these flaws to\ncause a denial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.", "modified": "2019-03-18T00:00:00", "published": "2016-07-15T00:00:00", "id": "OPENVAS:1361412562310703620", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703620", "type": "openvas", "title": "Debian Security Advisory DSA 3620-1 (pidgin - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3620.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3620-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703620\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\",\n \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\",\n \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\",\n \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_name(\"Debian Security Advisory DSA 3620-1 (pidgin - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-15 00:00:00 +0200 (Fri, 15 Jul 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3620.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"pidgin on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthese problems have been fixed in version 2.11.0-0+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 2.11.0-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.11.0-1.\n\nWe recommend that you upgrade your pidgin packages.\");\n script_tag(name:\"summary\", value:\"Yves Younan of Cisco Talos discovered\nseveral vulnerabilities in the MXit protocol support in pidgin, a multi-protocol\ninstant messaging client. A remote attacker can take advantage of these flaws to\ncause a denial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"finch\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.11.0-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"finch\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.11.0-0+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:35:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192650", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192650", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-2650)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2650\");\n script_version(\"2020-01-23T13:12:08+0000\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:12:08 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:12:08 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-2650)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2650\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2650\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'pidgin' package(s) announced via the EulerOS-SA-2019-2650 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.(CVE-2016-2377)\n\nA buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow.(CVE-2016-2376)\n\nA buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.(CVE-2016-2378)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability.(CVE-2016-2370)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.(CVE-2016-2365)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.(CVE-2016-2366)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability.(CVE-2016-2373)\n\nA directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.( ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'pidgin' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libpurple\", rpm:\"libpurple~2.10.11~5.h2\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192222", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192222", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-2222)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2222\");\n script_version(\"2020-01-23T12:41:00+0000\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\", \"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\", \"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:41:00 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:41:00 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-2222)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2222\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2222\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'pidgin' package(s) announced via the EulerOS-SA-2019-2222 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.(CVE-2016-2378)\n\nA buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow.(CVE-2016-2376)\n\nAn exploitable out-of-bounds read exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure.(CVE-2016-2375)\n\nAn exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.(CVE-2016-2374)\n\nA buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.(CVE-2016-2377)\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability.(CVE-2016-2373)\n\nAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.(CVE-2016-2371)\n\nA directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.(CVE-2016-4323)\n\nAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'pidgin' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libpurple\", rpm:\"libpurple~2.10.11~7.h4.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-1000030", "CVE-2016-2366"], "description": "This host is installed with Pidgin and is\n prone to multiple vulnerabilities.", "modified": "2018-11-19T00:00:00", "published": "2017-01-18T00:00:00", "id": "OPENVAS:1361412562310809862", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809862", "type": "openvas", "title": "Pidgin Multiple Vulnerabilities Jan 2017 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_pidgin_mult_vuln_jan17_win.nasl 66254 2017-01-18 07:41:15Z$\n#\n# Pidgin Multiple Vulnerabilities Jan 2017 (Windows)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:pidgin:pidgin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809862\");\n script_version(\"$Revision: 12408 $\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\",\n \t\t\"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\",\n\t\t\"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\",\n\t\t\"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\",\n \"CVE-2016-1000030\");\n script_bugtraq_id(91335);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-19 10:34:54 +0100 (Mon, 19 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-18 13:03:03 +0530 (Wed, 18 Jan 2017)\");\n script_name(\"Pidgin Multiple Vulnerabilities Jan 2017 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Pidgin and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple errors exists due to,\n\n - The X.509 certificates may be improperly imported when using GnuTLS.\n\n - An improper validation in the field and attribute counts.\n\n - An improper validation of the incoming message format.\n\n - An improper validation of the received values.\n\n - An error in chunk decoding.\n\n - Not checking the field count before accessing the fields.\n\n - The multiple issues in the MXit protocol support.\n\n - An error in g_vsnprintf().\n\n - An improper validation of the data length in the MXit protocol support.\n\n - An improper usage of data types in the MXit protocol support.\n\n - Not checking the length of the font tag.\n Refer the reference link for more information.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow attackers to cause denial of service, execute\n arbitrary code and disclose information from memory.\");\n\n script_tag(name:\"affected\", value:\"Pidgin before version 2.11.0 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Pidgin version 2.11.0 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.pidgin.im/news/security\");\n script_xref(name:\"URL\", value:\"http://www.talosintelligence.com/reports/TALOS-2016-0133\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_pidgin_detect_win.nasl\");\n script_mandatory_keys(\"Pidgin/Win/Ver\");\n script_xref(name:\"URL\", value:\"http://www.pidgin.im\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!pidVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:pidVer, test_version:\"2.11.0\"))\n{\n report = report_fixed_ver(installed_version:pidVer, fixed_version:\"2.11.0\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-1000030", "CVE-2016-2366"], "description": "This host is installed with Pidgin and is\n prone to multiple vulnerabilities.", "modified": "2018-11-19T00:00:00", "published": "2017-01-18T00:00:00", "id": "OPENVAS:1361412562310809871", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809871", "type": "openvas", "title": "Pidgin Multiple Vulnerabilities Jan 2017 (MAC OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_pidgin_mult_vuln_jan17_macosx.nasl 66254 2017-01-18 07:41:15Z$\n#\n# Pidgin Multiple Vulnerabilities Jan 2017 (MAC OS X)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:pidgin:pidgin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809871\");\n script_version(\"$Revision: 12408 $\");\n script_cve_id(\"CVE-2016-2365\", \"CVE-2016-2366\", \"CVE-2016-2367\", \"CVE-2016-2368\",\n \t\t\"CVE-2016-2369\", \"CVE-2016-2370\", \"CVE-2016-2371\", \"CVE-2016-2372\",\n\t\t\"CVE-2016-2373\", \"CVE-2016-2374\", \"CVE-2016-2375\", \"CVE-2016-2376\",\n\t\t\"CVE-2016-2377\", \"CVE-2016-2378\", \"CVE-2016-2380\", \"CVE-2016-4323\",\n \"CVE-2016-1000030\");\n script_bugtraq_id(91335);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-19 10:34:54 +0100 (Mon, 19 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-18 13:03:03 +0530 (Wed, 18 Jan 2017)\");\n script_name(\"Pidgin Multiple Vulnerabilities Jan 2017 (MAC OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Pidgin and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple errors exists due to,\n\n - The X.509 certificates may be improperly imported when using GnuTLS.\n\n - An improper validation in the field and attribute counts.\n\n - An improper validation of the incoming message format.\n\n - An improper validation of the received values.\n\n - An error in chunk decoding.\n\n - Not checking the field count before accessing the fields.\n\n - The multiple issues in the MXit protocol support.\n\n - An error in g_vsnprintf().\n\n - An improper validation of the data length in the MXit protocol support.\n\n - An improper usage of data types in the MXit protocol support.\n\n - Not checking the length of the font tag.\n Refer the reference link for more information.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow attackers to cause denial of service, execute\n arbitrary code and disclose information from memory.\");\n\n script_tag(name:\"affected\", value:\"Pidgin before version 2.11.0 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Pidgin version 2.11.0 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.pidgin.im/news/security\");\n script_xref(name:\"URL\", value:\"http://www.talosintelligence.com/reports/TALOS-2016-0133\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_pidgin_detect_macosx.nasl\");\n script_mandatory_keys(\"Pidgin/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://www.pidgin.im\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!pidVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:pidVer, test_version:\"2.11.0\"))\n{\n report = report_fixed_ver(installed_version:pidVer, fixed_version:\"2.11.0\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:33:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2368"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191985", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191985", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-1985)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1985\");\n script_version(\"2020-01-23T12:30:03+0000\");\n script_cve_id(\"CVE-2016-2368\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:30:03 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:30:03 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for pidgin (EulerOS-SA-2019-1985)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1985\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1985\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'pidgin' package(s) announced via the EulerOS-SA-2019-1985 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure. (CVE-2016-2368)\");\n\n script_tag(name:\"affected\", value:\"'pidgin' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libpurple\", rpm:\"libpurple~2.10.11~7.h2.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "Yves Younan discovered that Pidgin contained multiple issues in the MXit \nprotocol support. A remote attacker could use this issue to cause Pidgin to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode.", "edition": 5, "modified": "2016-07-12T00:00:00", "published": "2016-07-12T00:00:00", "id": "USN-3031-1", "href": "https://ubuntu.com/security/notices/USN-3031-1", "title": "Pidgin vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "- CVE-2016-2365 (denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin a null pointer dereference.\n\n- CVE-2016-2366 (denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin an out-of-bounds read.\n\n- CVE-2016-2367 (information leakage, denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin an out of bounds read. This issue can also potentially leak sensitive\ninformation from memory into the data after the avatar which can then be\ntransferred when the avatar is copied.\n\n- CVE-2016-2368 (arbitrary code execution)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin a buffer overflow. The MXIT plugin for Pidgin uses the function\ng_snprintf() in about 27 places where it receives the return value of\nthe function. When g_snprintf() returns, it will return the number of\nbytes that would have been written had the buffer been large enough, not\nthe amount of bytes that have actually been written. The MXIT plugin\nuses the return value of g_snprintf() as an index or an offset into the\nstring that is being manipulated in multiple locations without making\nsure that the return value is within bounds.\n\n- CVE-2016-2369 (denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin a NULL pointer dereference.\n\n- CVE-2016-2370 (denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin an out-of-bounds read.\n\n- CVE-2016-2371 (arbitrary code execution)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin a buffer overflow. The function mxit_parse_cmd_extprofile() is called\nwhen extended profile packets are received from the server. A malicious\nserver, an attacker who intercepts the network traffic or a potentially\nmalicious user (if the data is not validated by the server) can send an\ninvalid number of records, which could result in an out-of-bounds write\nof data.\n\n- CVE-2016-2372 (information leakage, denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin an out-of-bounds read. This issue can also potentially leak sensitive\ninformation by appending sensitive information from memory to the end of\na received file.\n\n- CVE-2016-2373 (denial of service)\n\nSpecially crafted MXIT data sent via the server could potentially result\nin an out-of-bounds read. A malicious server or user can send an invalid\nmood to trigger this vulnerability.\n\n- CVE-2016-2374 (arbitrary code execution)\n\nSpecially crafted MXIT MultiMX message sent via the server can result in\nan out-of-bounds write leading to memory disclosure and code execution.\n\n- CVE-2016-2375 (information leakage)\n\nSpecially crafted MXIT data sent from the server could potentially\nresult in an out-of-bounds read. In the function\nmxit_parse_cmd_suggestcontacts() in the file mxit/protocol.c at line\n2020 the number of attributes will be read from the incoming packet into\nthe variable count.\n\n- CVE-2016-2376 (arbitrary code execution)\n\nSpecially crafted MXIT data sent from the server could potentially\nresult in a buffer overflow. The function mxit_cb_rx in the file\nmxit/protocol.c is a callback function will be called by Pidgin whenever\ndata is sent from the MXIT server. When data is received, the size of\nthe incoming packet will also be received at line 2825. There is a check\nat line 2826 to ensure that this data isn't larger than the maximum size\nof that an MXIT packet can be which is defined as CP_MAX_PACKET. This is\nalso the size of the buffer that the data is read into. However if the\nsize is larger than CP_MAX_PACKET, an error will be logged but execution\nwill simply continue. Moreover, if the size is negative (this is\npossible since rx_res is an int) then no error will be logged and\nexecution will also continue.\n\n- CVE-2016-2377 (arbitrary code execution)\n\nSpecially crafted MXIT data sent by the server could potentially result\nin an out of bounds write of one byte.\n\n- CVE-2016-2378 (arbitrary code execution)\n\nSpecially crafted data sent via the server could potentially result in a\nbuffer overflow, potentially resulting in memory corruption.\n\n- CVE-2016-2380 (information leakage)\n\nSpecially crafted MXIT data sent to the server could potentially result\nin an out of bounds read. A user could be convinced to enter a\nparticular string which would then get converted incorrectly and could\nlead to a potential out-of-bounds read.\n\n- CVE-2016-4323 (directory traversal)\n\nSpecially crafted MXIT data sent from the server could potentially\nresult in an overwrite of files. A malicious server or someone with\naccess to the network traffic can provide an invalid filename for a\nsplash image triggering the vulnerability.", "modified": "2016-06-25T00:00:00", "published": "2016-06-25T00:00:00", "id": "ASA-201606-24", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-June/000659.html", "type": "archlinux", "title": "libpurple: multiple issues", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:LOW/I:LOW/A:LOW/"}}], "debian": [{"lastseen": "2020-08-12T01:10:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3620-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJuly 15, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : pidgin\nCVE ID : CVE-2016-2365 CVE-2016-2366 CVE-2016-2367 CVE-2016-2368\n CVE-2016-2369 CVE-2016-2370 CVE-2016-2371 CVE-2016-2372\n CVE-2016-2373 CVE-2016-2374 CVE-2016-2375 CVE-2016-2376\n CVE-2016-2377 CVE-2016-2378 CVE-2016-2380 CVE-2016-4323\n\nYves Younan of Cisco Talos discovered several vulnerabilities in the\nMXit protocol support in pidgin, a multi-protocol instant messaging\nclient. A remote attacker can take advantage of these flaws to cause a\ndenial of service (application crash), overwrite files, information\ndisclosure, or potentially to execute arbitrary code.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 2.11.0-0+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 2.11.0-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.11.0-1.\n\nWe recommend that you upgrade your pidgin packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2016-07-15T19:04:17", "published": "2016-07-15T19:04:17", "id": "DEBIAN:DSA-3620-1:E5D1C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00198.html", "title": "[SECURITY] [DSA 3620-1] pidgin security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T11:44:57", "bulletinFamily": "info", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-2377", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-2366"], "description": "### *Detect date*:\n06/21/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Pidgin. Malicious users can exploit these vulnerabilities to cause a denial of sevice, obtain sensitive information, execute arbitrary code.\n\n### *Affected products*:\nPidgin versions earlier than 2.11.0\n\n### *Solution*:\nUpdate to the latest version \n[Download Pidgin](<https://pidgin.im/download/>)\n\n### *Original advisories*:\n[Pidgin Security Advisories](<https://www.pidgin.im/news/security/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Pidgin](<https://threats.kaspersky.com/en/product/Pidgin/>)\n\n### *CVE-IDS*:\n[CVE-2016-2365](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2365>)4.3Warning \n[CVE-2016-2366](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2366>)4.3Warning \n[CVE-2016-2367](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2367>)3.5Warning \n[CVE-2016-2368](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2368>)7.5Critical \n[CVE-2016-2369](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2369>)4.3Warning \n[CVE-2016-2370](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2370>)4.3Warning \n[CVE-2016-2371](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2371>)6.8High \n[CVE-2016-2372](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2372>)4.9Warning \n[CVE-2016-2373](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2373>)4.3Warning \n[CVE-2016-2374](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2374>)6.8High \n[CVE-2016-2375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2375>)5.0Critical \n[CVE-2016-2376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2376>)6.8High \n[CVE-2016-2377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2377>)6.8High", "edition": 44, "modified": "2020-05-22T00:00:00", "published": "2016-06-21T00:00:00", "id": "KLA10942", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10942", "title": "\r KLA10942Multiple vulnerabilities in Pidgin ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T11:58:34", "bulletinFamily": "info", "cvelist": ["CVE-2016-4323", "CVE-2016-2380", "CVE-2016-2378"], "description": "### *Detect date*:\n06/21/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Pidgin. Malicious users can exploit these vulnerabilities to overwrite arbitrary files, cause denial of service, obtain sensitive information.\n\n### *Affected products*:\nPidgin versions earlier than 2.11.0\n\n### *Solution*:\nUpdate to the latest version \n[Download Pidgin](<https://pidgin.im/download/>)\n\n### *Original advisories*:\n[Pidgin Security Advisory](<https://pidgin.im/news/security/?id=97>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Pidgin](<https://threats.kaspersky.com/en/product/Pidgin/>)\n\n### *CVE-IDS*:\n[CVE-2016-2380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2380>)4.3Warning \n[CVE-2016-2378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2378>)6.8High \n[CVE-2016-4323](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4323>)5.8High", "edition": 44, "modified": "2020-05-22T00:00:00", "published": "2016-06-21T00:00:00", "id": "KLA10932", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10932", "title": "\r KLA10932Multiple vulnerabilities in Pidgin ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2017-01-17T04:59:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2375", "CVE-2016-2368", "CVE-2016-2371", "CVE-2016-2374", "CVE-2016-2373", "CVE-2016-4323", "CVE-2016-2377", "CVE-2016-2379", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2380", "CVE-2016-2378", "CVE-2016-2372", "CVE-2016-2369", "CVE-2016-2376", "CVE-2016-2365", "CVE-2016-1000030", "CVE-2016-2366"], "edition": 1, "description": "### Background\n\nPidgin is a client for a variety of instant messaging protocols.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Pidgin. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might send specially crafted data using the MXit protocol, possibly resulting in the remote execution of arbitrary code with the privileges of the process, a Denial of Service condition, or in leaking confidential information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Pidgin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/pidgin-2.11.0\"", "modified": "2017-01-17T00:00:00", "published": "2017-01-17T00:00:00", "href": "https://security.gentoo.org/glsa/201701-38", "id": "GLSA-201701-38", "title": "Pidgin: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:LOW/I:LOW/A:LOW/"}}], "suse": [{"lastseen": "2016-09-29T17:27:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2371", "CVE-2016-2373", "CVE-2016-2370", "CVE-2016-2367", "CVE-2016-2372"], "edition": 1, "description": "This update for pidgin fixes the following issues:\n\n Security issues fixed:\n - CVE-2016-2367: Fixed a MXIT Avatar Length Memory Disclosure\n Vulnerability (bsc#991715).\n - CVE-2016-2370: Fixed a MXIT Custom Resource Denial of Service\n Vulnerability (bsc#991712).\n - CVE-2016-2371: Fixed a MXIT Extended Profiles Code Execution\n Vulnerability (bsc#991691).\n - CVE-2016-2372: Fixed a MXIT File Transfer Length Memory Disclosure\n Vulnerability (bsc#991711).\n - CVE-2016-2373: Fixed a MXIT Contact Mood Denial of Service Vulnerability\n (bsc#991709)\n\n", "modified": "2016-09-29T19:10:02", "published": "2016-09-29T19:10:02", "id": "SUSE-SU-2016:2416-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00035.html", "type": "suse", "title": "Security update for pidgin (important)", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:LOW/I:LOW/A:LOW/"}}], "cve": [{"lastseen": "2021-02-02T06:28:07", "description": "A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 3.7, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-4323", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4323"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-4323", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4323", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2368", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2368"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2368", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2368", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.", "edition": 6, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2380", "type": "cve", "cwe": ["CWE-125", "CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2380"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2380", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2380", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2367", "type": "cve", "cwe": ["CWE-125", "CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2367"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2367", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2367", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2366", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2366"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2366", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2366", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2369", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2369"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2369", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2369", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2378", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2378"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2378", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2378", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2377", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2377"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2377", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2377", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2374", "type": "cve", "cwe": ["CWE-125", "CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2374"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2374", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2374", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-2370", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2370"], "modified": "2017-03-30T01:59:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:pidgin:pidgin:2.10.12", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-2370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2370", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:a:pidgin:pidgin:2.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T12:14:16", "description": "### DESCRIPTION\r\nAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.\r\n### CVSSv3 SCORE\r\n3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nWhen a message is sent by Pidgin to the server, it has to convert the markup from libpurple (HTML-based) markup to MXIT markup. To do this, the function mxitconvertmarkup_tx defined in the file markup.c will be called. This function will copy the data from the old string message to the new string mx, converting it along the way.\r\n\r\nHowever, at lines 1146-1154 it will convert the markup to change the font color without checking the length of the string that is remaining:\r\n```\r\n1146 else if ( purple_str_has_prefix( &message[i], \"<font color=\" ) ) {\r\n /* font colour */\r\n tag = g_new0( struct tag, 1 );\r\n tag->type = MXIT_TAG_COLOR;\r\n tagstack = g_list_append( tagstack, tag );\r\n memset( color, 0x00, sizeof( color ) );\r\n memcpy( color, &message[i + 13], 7 );\r\n g_string_append( mx, color );\r\n1154 }\r\n```\r\n\r\nIt will compare if the string starts with <font color= at the current position in the message at line 1146. If it does it will copy 7 bytes from 1 element past the end of `=`, presumably to skip over the `#` tag. However, if `<font color=` is at the end of the string then this will result in an out-of-bounds read of message. Since one byte after the end of the `=` will be skipped over, the NULL termination string will be skipped over, allowing the 7 bytes of data behind the string to be copied to the mx, which is the string that will be sent to the server.\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability(CVE-2016-2380)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2380"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96742", "id": "SSV:96742", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T12:14:17", "description": "### DESCRIPTION\r\nMultiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.\r\n\r\n### CVSSv3 SCORE\r\n7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nThe MXIT plugin for Pidgin uses the function gsnprintf in about 27 places where it receives the return value of the function. When gsnprintf returns, it will return the number of bytes that would have been written had the buffer been large enough, not the amount of bytes that have actually been written. This is described at https://developer.gnome.org/glib/stable/glib-String-Utility-Functions.html#g-snprintf.\r\n\r\nThe MXIT plugin uses the return value of gsnprintf as an index or an offset into the string that is being manipulated in multiple locations without making sure that the return value is within bounds. This could potentially lead to a buffer overflow. While it is recommended that all return values of gsnprintf are checked, the following 12 calls spread over 7 functions appear to be the most problematic as they will copy data that might come from an untrusted location into a string. The following functions are all defined in the file mxit/protocol.c\r\n\r\nFunction: mxit_send_invite() Lines: 1015-1024\r\n```\r\n1015 datalen = g_snprintf( data, sizeof( data ),\r\n \"ms=%s%c%s%c%s%c%i%c%s%c%i\", groupname, CP_FLD_TERM, username, CP_FLD_TERM, alias, CP_FLD_TERM, MXIT_TYPE_MXIT, CP_FLD_TERM,\r\n ( message ? message : \"\" ), CP_FLD_TERM, ( mxitid ? 0 : 1 ));\r\n\r\n /* queue packet for transmission */\r\n1024 mxit_queue_packet( session, data, datalen, CP_CMD_INVITE );\r\n```\r\nThe data passed into g_snprintf comes from both the server and the user and the return value will be used to specify the bounds of the data to be sent in the function mxit_queue_packet, potentially resulting in an out-of-bounds read of data which will be sent to the server, which might cause an information leak.\r\n\r\nFunction: mxit_queue_packet() Lines: 467-479\r\n```\r\n467 hlen = g_snprintf( header, sizeof( header ), \"id=%s%c\", purple_account_get_username( session->acc ), CP_REC_TERM ); /* client mxitid */\r\n\r\n if ( session->http ) {\r\n /* http connection only */\r\n471 hlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"s=\");\r\n if ( session->http_sesid > 0 ) {\r\n473 hlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"%u%c\", session->http_sesid, CP_FLD_TERM ); /* http session id */\r\n }\r\n session->http_seqno++;\r\n476 hlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"%u%c\", session->http_seqno, CP_REC_TERM ); /* http request sequence id */\r\n }\r\n\r\n479 hlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"cm=%i%c\", cmd, CP_REC_TERM ); /* packet command */\r\n```\r\n\r\nA long user account returned at line 467 will potentially cause buffer overflows at lines 471, 473, 476 or 479.\r\n\r\nFunction: mxitsendmessage() Lines: 808-817\r\n```\r\n808 datalen = g_snprintf( data, sizeof( data ),\r\n \"ms=%s%c%s%c%i%c%i\", /* \"ms\"=jid\\1msg\\1type\\1flags */\r\nto, CP_FLD_TERM, markuped_msg, CP_FLD_TERM, msgtype, CP_FLD_TERM, CP_MSG_MARKUP | CP_MSG_EMOTICON);\r\n\r\n /* free the resources */\r\n g_free( markuped_msg );\r\n\r\n /* queue packet for transmission */\r\n817 mxit_queue_packet( session, data, datalen, CP_CMD_TX_MSG );\r\n```\r\n\r\nData passed to mxitsendmessage comes from the server and the user in the variables to and msg respectively. The variable msg might also contain data coming from the server if it\u00d5s the result of a clicked link. This will subsequently result in an out-of-bounds read of data sent back to the server in mxit_queue_packet, which might cause an information leak.\r\n\r\nFunction: mxit_write_http_post() Lines: 355-369\r\n```\r\n355 reqlen = g_snprintf( request, 256,\r\n \"POST %s?%s HTTP/1.1\\r\\n\"\r\n \"User-Agent: \" MXIT_HTTP_USERAGENT \"\\r\\n\"\r\n \"Content-Type: application/octet-stream\\r\\n\"\r\n \"Host: %s\\r\\n\"\r\n \"Content-Length: %d\\r\\n\"\r\n \"\\r\\n\",\r\n session->http_server,\r\n purple_url_encode( packet->header ),\r\n host_name,\r\n packet->datalen - MXIT_MS_OFFSET\r\n );\r\n\r\n /* copy over the packet body data (could be binary) */\r\n369 memcpy( request + reqlen, packet->data + MXIT_MS_OFFSET, \r\npacket->datalen - MXIT_MS_OFFSET );\r\n```\r\n\r\nThe size of the packet->header combined with the URL and the other data being printed could result in a value larger than 256, resulting in a buffer overflow at line 369. The packet->header will be set in mxitqueuepacket, which is discussed earlier in this advisory.\r\n\r\nFunction: mxitsendsplashclick() Lines 1136-1142\r\n```\r\n1136 datalen = g_snprintf( data, sizeof( data ),\r\n \"ms=%s\", /* \"ms\"=splashId */\r\n splashid\r\n );\r\n\r\n /* queue packet for transmission */\r\n1142 mxit_queue_packet( session, data, datalen, CP_CMD_SPLASHCLICK );\r\n```\r\n\r\nSplash id is data that comes from the server, which is used in the gsnprintf() call, potentially resulting in an out-of-bounds read in mxitqueue_packet. Since this data is sent back to the server, this could result in an information leak.\r\n\r\nFunction: mxitsendsuggest_search() Lines: 937-946\r\n```\r\n937 datalen = g_snprintf( data, sizeof( data ),\r\n\"ms=%i%c%s%c%i%c%i%c%i\",CP_SUGGEST_SEARCH, CP_FLD_TERM, text, CP_FLD_TERM, max, CP_FLD_TERM, 0, CP_FLD_TERM, nr_attrib );\r\n\r\n /* add attributes */\r\n for ( i = 0; i < nr_attrib; i++ )\r\n942 datalen += g_snprintf( data + datalen, sizeof( data ) - datalen, \"%c%s\", CP_FLD_TERM, attribute[i] );\r\n\r\n /* queue packet for transmission */\r\n946 mxit_queue_packet( session, data, datalen, CP_CMD_SUGGESTCONTACTS );\r\n```\r\n\r\nThe value text will come from the user, who could be tricked into entering a potential long string. This could then result in a buffer overflow at line 942 and an out-of-bounds read leading to an information leak at line 946.\r\n\r\nFunction: mxit_send_msgevent Lines 1162-1168\r\n```\r\n1162 datalen = g_snprintf( data, sizeof( data ),\r\n \"ms=%s%c%s%c%i\", /* \"ms\"=contactAddress \\1 id \\1 event */\r\n to, CP_FLD_TERM, id, CP_FLD_TERM, event);\r\n\r\n /* queue packet for transmission */\r\n1168 mxit_queue_packet( session, data, datalen, CP_CMD_MSGEVENT );\r\n```\r\n\r\nThe issue is the same as before, to and id come from the server and are used in line 1162, which could result in an information leak at line 1168.\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities(CVE-2016-2368)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2368"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96740", "id": "SSV:96740", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:17", "description": "### DESCRIPTION\r\nA directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.\r\n\r\n### CVSSv3 SCORE\r\n4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nPidgin allows the MXIT server to provide a splash image to show when connecting to the server. The server can also update this image by providing a new one via a command sent back from the server.\r\n\r\nWhen the server provides a new image via a multimedia command then the function splash_update will be called at line 2170 of mxit/protocol.c:\r\n```\r\n2170 splash_update( session, chunk.id, splash->data, splash->datalen, clickable );\r\n```\r\n\r\nThe variable chunk.id is read from data coming from the server in the function mxitchunkparse_cr at line 564:\r\n\r\npos += get_utf8_string( &chunkdata[pos], cr->id, sizeof( cr->id ) );\r\n\r\nThe function splash_update is defined in mxit/splashscreen.c at lines 115-136:\r\n```\r\nvoid splash_update(struct MXitSession* session, const char* splashId, const char* data, int datalen, gboolean clickable)\r\n{\r\n char* dir;\r\n char* filename;\r\n\r\n /* Remove the current splash-screen */\r\n splash_remove(session);\r\n\r\n /* Save the new splash image */\r\ndir = g_strdup_printf(\"%s\" G_DIR_SEPARATOR_S \"mxit\", purple_user_dir());\r\n\r\n purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); \r\n /* ensure directory exists */\r\n\r\n127 filename = g_strdup_printf(\"%s\" G_DIR_SEPARATOR_S \"%s.png\", dir, purple_escape_filename(splashId));\r\n\r\n if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {\r\n /* Store new splash-screen ID to settings */\r\npurple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);\r\n\r\npurple_account_set_bool(session->acc, MXIT_CONFIG_SPLASHCLICK, clickable );\r\n }\r\n\r\n g_free(dir);\r\n g_free(filename);\r\n}\r\n```\r\n\r\nAt line 127 splashId will be correctly escaped to prevent a directory traversal from occurring. However the unescaped string is stored in the MXITCONFIGSPLASHID variable at line 130. The function splashremove, which is called at line 121 in this function, will use MXITCONFIG_SPLASHID to find the file to delete (lines 84-104):\r\n```\r\nvoid splash_remove(struct MXitSession* session)\r\n{\r\n const char* splashId = NULL;\r\n char* filename;\r\n\r\n /* Get current splash ID */\r\n splashId = splash_current(session);\r\n\r\n if (splashId != NULL) {\r\npurple_debug_info(MXIT_PLUGIN_ID, \"Removing splashId: '%s'\\n\", splashId);\r\n\r\n /* Delete stored splash image */\r\nfilename = g_strdup_printf(\"%s\" G_DIR_SEPARATOR_S \"mxit\" G_DIR_SEPARATOR_S \"%s.png\", purple_user_dir(), splashId);\r\n g_unlink(filename);\r\n g_free(filename);\r\n\r\n /* Clear current splash ID from settings */\r\npurple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, \"\");\r\npurple_account_set_bool(session->acc, MXIT_CONFIG_SPLASHCLICK, FALSE);\r\n }\r\n}\r\n```\r\n\r\nHowever unlike in splash_update, in this case there is no escaping of the filename, allowing an attacker to delete arbitrary png files on the system.\r\n\r\n### TIMELINE\r\n* 2016-04-12 - Initial Vendor Contact \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability(CVE-2016-4323)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4323"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96741", "id": "SSV:96741", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:24", "description": "### DESCRIPTION\r\nAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.\r\n\r\n### CVSSv3 SCORE\r\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nWhen an avatar is received via the MXIT server, the server will send a CPCHUNKGETAVATAR command. This will be handled by the function mxitparsecmdmedia at lines 2208-2234 of mxit/protocol.c:\r\n```\r\ncase CP_CHUNK_GET_AVATAR : /* get avatars */\r\n{\r\n struct getavatar_chunk chunk;\r\n struct contact* contact = NULL;\r\n /* decode the chunked data */\r\n memset( &chunk, 0, sizeof( struct getavatar_chunk ) );\r\n mxit_chunk_parse_get_avatar( &records[0]->fields[0]->data[sizeof( char ) + sizeof( int )], records[0]->fields[0]->len, &chunk );\r\n\r\n /* update avatar image */\r\n if ( chunk.data ) {\r\n purple_debug_info( MXIT_PLUGIN_ID, \"updating avatar for contact '%s'\\n\", chunk.mxitid );\r\n\r\n contact = get_mxit_invite_contact( session, chunk.mxitid );\r\n\r\n if ( contact ) {\r\n /* this is an invite (add image to the internal image store) */\r\n contact->imgid = purple_imgstore_add_with_id( g_memdup( chunk.data, chunk.length ), chunk.length, NULL );\r\n\r\n /* show the profile */\r\n mxit_show_profile( session, chunk.mxitid, contact->profile );\r\n }\r\n else {\r\n /* this is a contact's avatar, so update it */\r\n purple_buddy_icons_set_for_user( session->acc, chunk.mxitid, g_memdup( chunk.data, chunk.length ), chunk.length, chunk.avatarid );\r\n }\r\n }\r\n}\r\n```\r\n\r\nAt line 2215 it will call the function mxitchunkparsegetavatar() which will read the size of the chunk from the data at line 683 of mxit/chunk.c:\r\n```\r\npos += get_int32( &chunkdata[pos], &(avatar->length) );\r\n```\r\n\r\nIf the length of the chunk that was specified is longer than the buffer, it will result in an out-of-bounds read and the resulting data in memory will be written after the received avatar. Depending on the memory layout of the program at the time the vulnerability is triggered this could result in a scenario where either program crashes because pages are not accessible or where sensitive data is leaked from memory into the file. The user may decide to copy this avatar to other places or might send it to another user which would result in the leaking of this data.\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT Avatar Length Memory Disclosure Vulnerability(CVE-2016-2367)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2367"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96737", "id": "SSV:96737", "sourceData": "", "sourceHref": "", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:22", "description": "### DESCRIPTION\r\nA buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.\r\n\r\n### CVSSv3 SCORE\r\n8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nThe function getutf8string, defined at line 231 in libpurple/protocols/mxit/chunk.c will take a maximum string length as argument. Usually this is passed in as the size of the string str that is being written to.\r\n\r\nIt will read the length of the string at line 238 and check to ensure that it is not larger than the maximum string length at line 240. If it is, it will set the length to be equal to maxstrlen.\r\n```\r\n238 pos += get_int16( &chunkdata[pos], &len );\r\n239 \r\n240 if ( len > maxstrlen ) {\r\n \u2026\r\n243 skip = len - maxstrlen;\r\n244 len = maxstrlen;\r\n245 }\r\n```\r\n\r\nHowever, len is a signed short that will be read from nthos, which will read an unsigned integer, but because len is signed it will be cast to a signed integer. If the value of len is a large positive value it will be cast to a negative value, bypassing the size check at line 240.\r\n\r\nThe call to getdata at line 248 will then result in a buffer overflow: 248 pos += getdata( &chunkdata[pos], str, len );\r\n\r\nThe function get_data will end up calling memcpy which expects an unsigned size parameter and will interpret a negative value as a large positive value.\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT get_utf8_string Code Execution Vulnerability(CVE-2016-2378)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2378"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96744", "id": "SSV:96744", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:20", "description": "### DESCRIPTION\r\nAn NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.\r\n\r\n### CVSS v3 SCORE\r\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nThe function mxitparsepacket() in mxit/protocol.c is called when data is received from an MXIT server to parse the relevant stream of bytes into an MXIT packet.\r\n\r\nWhen the packet is received, a new record is created in the packet to reflect the data (near line 2672):\r\n```\r\nrec = NULL;\r\nfield = NULL;\r\nmemset( &packet, 0x00, sizeof( struct rx_packet ) );\r\n rec = add_record( &packet );\r\n```\r\n\r\nThe function add_record does the following:\r\n```\r\nstatic struct record* add_record( struct rx_packet* p )\r\n{\r\n struct record* rec;\r\n rec = g_new0( struct record, 1 );\r\n p->records = g_realloc( p->records, \r\n sizeof( struct record* ) * ( p->rcount + 1 ) );\r\n p->records[p->rcount] = rec;\r\n p->rcount++;\r\n\r\n return rec;\r\n}\r\n```\r\n\r\nThis will create a record in the packet and increase the rcount variable by 1.\r\n\r\nAt lines 2679-2744 the packet is further analyzed and broken up into records and fields depending on if the separator being used is 0x0, 0x1 or 0x2.\r\n\r\nThe following code if of particular interest:\r\n```\r\nwhile ( ( i < session->rx_i ) && ( !pbreak ) ) {\r\n switch ( session->rx_dbuf[i] ) {\r\n case CP_SOCK_REC_TERM :\r\n /* new record */\r\n if ( packet.rcount == 1 ) {\r\n /* packet command */\r\n packet.cmd = atoi( packet.records[0]->fields[0]->data );\r\n }\r\n```\r\n\r\nThe value CPSOCKREC_TERM indicates that the end of a record is reached and it will retrieve the command that the packet is sending. However, if the packet starts with a NULL byte then the fields value for the record will not have been initialized resulting in a crash when trying to dereference it at line 2686.\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability(CVE-2016-2369)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2369"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96736", "id": "SSV:96736", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:17", "description": "### DESCRIPTION\r\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.\r\n\r\n### CVSSv3 SCORE\r\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nIn the function command_table in mxit/formcmds.c at lines 531 and 535, the number of rows and columns for the table are received from the server.\r\n```\r\n531 nr_columns = atoi(tmp);\r\n..\r\n535 nr_rows = atoi(tmp);\r\n```\r\n\r\nThese two values are then used in loops at line 547 and 548 and to access an array at line 549.\r\n```\r\n547 for (i = 0; i < nr_rows; i++) {\r\n for (j = 0; j < nr_columns; j++) {\r\n549 purple_debug_info(MXIT_PLUGIN_ID, \" Row %i Column %i = %s\\n\", i, j, coldata[i*nr_columns + j]);\r\n }\r\n }\r\n```\r\n\r\nAn attacker can cause access to unmapped memory addresses, resulting in a denial of service.\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT Table Command Denial of Service Vulnerability(CVE-2016-2366)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2366"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96738", "id": "SSV:96738", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:11", "description": "### DESCRIPTION\r\nAn exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.\r\n\r\n### CVSSv3 SCORE\r\n8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nThe function multimxmessagereceived defined in mxit/multimx.c will be called when a message is received from a MultiMX room. This message will be parsed and it will check if the message is coming from a particular user (if it contains a nickname) or from the system.\r\nIf the received message starts with a `<` then a nickname is embedded and the server will search for a corresponding `>`. The code to handle is at lines 358-374:\r\n```\r\n354 if (msg[0] == '<') {\r\n /* Message contains embedded nickname - must be from contact */\r\n unsigned int i;\r\n\r\n for (i = 1; i < strlen(msg); i++) { \r\n /* search for end of nickname */\r\n if (msg[i] == '>') {\r\n msg[i] = '\\0';\r\n g_free(mx->from);\r\n mx->from = g_strdup(&msg[1]);\r\n367 msg = &msg[i+2]; /* skip '>' and newline */\r\n break;\r\n }\r\n }\r\n\r\n /* now do markup processing on the message */\r\n mx->chatid = multimx->chatid;\r\n374 mxit_parse_markup(mx, msg, strlen(msg), msgtype, msgflags);\r\n```\r\n\r\nIf a message only contains a nickname followed by a NULL, then msg at line 367 will point out of bounds of the string.\r\n\r\nThis string is subsequently processed for markup at line 374. The mxitparsemarkup function allows for a number of scenarios to exploit this out-of-bounds access vulnerability. If the out-of-bounds data contains some user-controlled values, then the attacker can direct the markup down a number of paths. This can include an information leak where the markup contains a directive to download an emoticon string or a command to download an image (MXITCMDIMAGE), both will send data from the string back via a URL request.\r\n\r\nAnother avenue of attack is to perform an out-of-bounds write which could potentially lead to code execution. The string being parsed is written to at multiple locations, including at line 578 in mxit/formcmds.c:\r\n```\r\n start = message + 2;\r\n end = strstr(start, \":\");\r\n if (end) {\r\n /* end of a command found */\r\n578 *end = '\\0'; /* terminate command string */\r\nAnd line 864 of of markup.c:\r\n ch = strstr( &message[i + 1], \"$\" );\r\n if ( ch ) {\r\n /* end found */\r\n864 *ch = '\\0';\r\n```\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT MultiMX Message Code Execution Vulnerability(CVE-2016-2374)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2374"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96750", "id": "SSV:96750", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:14:09", "description": "### DESCRIPTION\r\nAn exploitable out-of-bounds ready exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure.\r\n\r\n### CVSSv3 SCORE\r\n5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nIn the function mxitparsecmd_suggestcontacts in the file mxit/protocol.c at line 2020 the number of attributes will be read from the incoming packet into the variable count.\r\n```\r\n2020 count = atoi( records[0]->fields[3]->data );\r\n```\r\n\r\nThis value is subsequently used as the bounds for a loop at line 2030 and the loop index is used as an array index at lines 2034-2036.\r\n```\r\n2030 for ( j = 0; j < count; j++ ) {\r\n\r\n2034 fname = records[0]->fields[4 + j]->data; /* field name */\r\n if ( records[i]->fcount > ( 2 + j ) )\r\n fvalue = records[i]->fields[2 + j]->data; /* field value */\r\n```\r\n\r\nThe pointers set at these locations will subsequently be used to read data, potentially resulting in an out-of-bounds read, copying data into results fields, for example at lines 2056-2059:\r\n```\r\n2056 else if ( strcmp( CP_PROFILE_FULLNAME, fname ) == 0 ) {\r\n /* nickname */\r\n g_strlcpy( profile->nickname, fvalue, sizeof( profile->nickname ) );\r\n2059 }\r\n```\r\n\r\nMost of the out-of-bounds reads would simply result in a crash if a memory page is inaccessible since most information is not sent back to the server. However, when the add button is pushed, the following callback is called (defined in mxit/profile.c at lines 288-291):\r\n```\r\nstatic void mxit_search_results_add_cb( PurpleConnection *gc, GList *row, gpointer user_data )\r\n{\r\n /* display add buddy dialog */\r\n purple_blist_request_add_buddy( purple_connection_get_account( gc ), g_list_nth_data( row, 0 ), NULL, g_list_nth_data( row, 1 ) );\r\n}\r\n```\r\n\r\nThe data in this row is set in mxitshowsearch_results() in mxit/profile.c at lines 340-346:\r\n```\r\n340 row = g_list_append( NULL, g_strdup_printf( \"#%s\", tmp ) );\r\n341 row = g_list_append( row, g_strdup( profile->nickname ) );\r\n row = g_list_append( row, g_strdup( profile->firstname ) );\r\n row = g_list_append( row, g_strdup( profile->lastname ) );\r\n row = g_list_append( row, g_strdup( profile->male ? \"Male\" : \"Female\" ) );\r\n row = g_list_append( row, g_strdup_printf( \"%i\", calculateAge( profile->birthday ) ) );\r\n346 row = g_list_append( row, g_strdup( profile->whereami ) );\r\n```\r\n\r\nThis means that the nickname will be sent to the function purpleblistrequestaddbuddy() as last argument, which ends up calling:\r\n```\r\nui_ops->request_add_buddy(account, username, group, alias);\r\n```\r\n\r\nWhich should call the callback mxitaddbuddy() defined in roster.c at line 729:\r\n```\r\nvoid mxit_add_buddy( PurpleConnection* gc, PurpleBuddy* buddy, PurpleGroup* group, const char* message )\r\n```\r\n\r\nThis function then sends the alias back as a message to the server at lines 754 and 759:\r\n```\r\n741 list = purple_find_buddies( session->acc, buddy_name );\r\n if ( g_slist_length( list ) == 1 ) {\r\n purple_debug_info( MXIT_PLUGIN_ID, \"mxit_add_buddy (scenario 1) (list:%i)\\n\", g_slist_length( list ) );\r\n /*\r\n * we only send an invite to MXit when the user is not already inside our\r\n * blist. this is done because purple does an add_buddy() call when\r\n * you accept an invite. so in that case the user is already\r\n * in our blist and ready to be chatted to.\r\n */\r\n\r\n if ( buddy_name[0] == '#' ) {\r\n gchar *tmp = (gchar*) purple_base64_decode( buddy_name + 1, NULL );\r\n if ( tmp ) {\r\n 754 mxit_send_invite( session, tmp, FALSE, buddy_alias, group_name, message );\r\n g_free( tmp );\r\n }\r\n }\r\n else\r\n759 mxit\\_send\\_invite( session, buddy_name, TRUE, buddy_alias, group_name, message );\r\n760 }\r\n```\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability(CVE-2016-2375)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2375"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96751", "id": "SSV:96751", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T12:14:25", "description": "### DESCRIPTION\r\nAn out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.\r\n\r\n### CVSSv3 SCORE\r\n8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### TESTED VERSIONS\r\nPidgin 2.10.11\r\n\r\n### PRODUCT URLs\r\nhttps://www.pidgin.im/\r\n\r\n### DETAILS\r\nThe function mxitparsecmd_extprofile() is called when extended profile packets are received from the server. At line 1837 it will read the number of attributes that were sent by the server into the variable count.\r\n1837 count = atoi( records[0]->fields[1]->data );\r\n\r\nThis value is subsequently used as the bounds for a loop at line 1839 and used to calculate the index into an array at line 1843 and that value is subsequently used to access values in the array at lines 1845-1847.\r\n```\r\n1839 for ( i = 0; i < count; i++ ) {\r\n char* fname;\r\n char* fvalue;\r\n char* fstatus;\r\n1843 int f = ( i * 3 ) + 2;\r\n\r\n fname = records[0]->fields[f]->data; /* field name */\r\n fvalue = records[0]->fields[f + 1]->data; /* field value */\r\n1847 fstatus = records[0]->fields[f + 2]->data; /* field status */\r\n```\r\n\r\nThe index is also used to write to an array at lines 1859-1860 potentially causing an out-of-bounds write.\r\n```\r\n1859 fvalue[10] = '\\0';\r\n records[0]->fields[f + 1]->len = 10;\r\n```\r\n\r\n### TIMELINE\r\n* 2016-04-13 - Vendor Notification \r\n* 2016-06-21 - Public Disclosure", "published": "2017-10-19T00:00:00", "type": "seebug", "title": "Pidgin MXIT Extended Profiles Code Execution Vulnerability(CVE-2016-2371)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2371"], "modified": "2017-10-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96746", "id": "SSV:96746", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talos": [{"lastseen": "2020-07-01T21:25:03", "bulletinFamily": "info", "cvelist": ["CVE-2016-4323"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0128\n\n## Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-4323\n\n### DESCRIPTION\n\nA directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability.\n\n### CVSSv3 SCORE\n\n4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nPidgin allows the MXIT server to provide a splash image to show when connecting to the server. The server can also update this image by providing a new one via a command sent back from the server.\n\nWhen the server provides a new image via a multimedia command then the function splash_update will be called at line 2170 of mxit/protocol.c:\n \n \n 2170 \tsplash_update( session, chunk.id, splash->data, splash->datalen, clickable );\n \n\nThe variable chunk.id is read from data coming from the server in the function mxit_chunk_parse_cr at line 564:\n \n \n pos += get_utf8_string( &chunkdata[pos], cr->id, sizeof( cr->id ) );\n \n\nThe function splash_update is defined in mxit/splashscreen.c at lines 115-136:\n \n \n void splash_update(struct MXitSession* session, const char* splashId, const char* data, int datalen, gboolean clickable)\n {\n \tchar* dir;\n \tchar* filename;\n \n \t/* Remove the current splash-screen */\n \tsplash_remove(session);\n \n \t/* Save the new splash image */\n dir = g_strdup_printf(\"%s\" G_DIR_SEPARATOR_S \"mxit\", purple_user_dir());\n \t\n purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);\t\t\n /* ensure directory exists */\n \n 127\tfilename = g_strdup_printf(\"%s\" G_DIR_SEPARATOR_S \"%s.png\", dir, purple_escape_filename(splashId));\n \t\n if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {\n \t\t/* Store new splash-screen ID to settings */\n purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);\n \n purple_account_set_bool(session->acc, MXIT_CONFIG_SPLASHCLICK, clickable );\n \t}\n \n \tg_free(dir);\n \tg_free(filename);\n }\n \n\nAt line 127 splashId will be correctly escaped to prevent a directory traversal from occurring. However the unescaped string is stored in the MXIT_CONFIG_SPLASHID variable at line 130. The function splash_remove, which is called at line 121 in this function, will use MXIT_CONFIG_SPLASHID to find the file to delete (lines 84-104):\n \n \n void splash_remove(struct MXitSession* session)\n {\n \tconst char* splashId = NULL;\n \tchar* filename;\n \n \t/* Get current splash ID */\n \tsplashId = splash_current(session);\n \n \tif (splashId != NULL) {\n purple_debug_info(MXIT_PLUGIN_ID, \"Removing splashId: '%s'\\n\", splashId);\n \n \t\t/* Delete stored splash image */\n filename = g_strdup_printf(\"%s\" G_DIR_SEPARATOR_S \"mxit\" G_DIR_SEPARATOR_S \"%s.png\", purple_user_dir(), splashId);\n \t\tg_unlink(filename);\n \t\tg_free(filename);\n \n \t\t/* Clear current splash ID from settings */\n purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, \"\");\n purple_account_set_bool(session->acc, MXIT_CONFIG_SPLASHCLICK, FALSE);\n \t}\n }\n \n\nHowever unlike in splash_update, in this case there is no escaping of the filename, allowing an attacker to delete arbitrary png files on the system.\n\n### TIMELINE\n\n2016-04-12 - Initial Vendor Contact \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0133\n\nPrevious Report\n\nTALOS-2016-0123\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0128", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0128", "title": "Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:13", "bulletinFamily": "info", "cvelist": ["CVE-2016-2368"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0136\n\n## Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2368\n\n### DESCRIPTION\n\nMultiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure.\n\n### CVSSv3 SCORE\n\n7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nThe MXIT plugin for Pidgin uses the function g_snprintf in about 27 places where it receives the return value of the function. When g_snprintf returns, it will return the number of bytes that would have been written had the buffer been large enough, not the amount of bytes that have actually been written. This is described at https://developer.gnome.org/glib/stable/glib-String-Utility-Functions.html#g-snprintf.\n\nThe MXIT plugin uses the return value of g_snprintf as an index or an offset into the string that is being manipulated in multiple locations without making sure that the return value is within bounds. This could potentially lead to a buffer overflow. While it is recommended that all return values of g_snprintf are checked, the following 12 calls spread over 7 functions appear to be the most problematic as they will copy data that might come from an untrusted location into a string. The following functions are all defined in the file mxit/protocol.c\n\nFunction: mxit_send_invite() Lines: 1015-1024\n \n \n 1015\tdatalen = g_snprintf( data, sizeof( data ),\n \t\"ms=%s%c%s%c%s%c%i%c%s%c%i\",\t\t\t\t\t\t\t\t\tgroupname, CP_FLD_TERM, username, CP_FLD_TERM, alias,\t\tCP_FLD_TERM, MXIT_TYPE_MXIT, CP_FLD_TERM,\n \t( message ? message : \"\" ), CP_FLD_TERM, ( mxitid ? 0 : 1 ));\n \n \t/* queue packet for transmission */\n 1024\tmxit_queue_packet( session, data, datalen, CP_CMD_INVITE );\n \n\nThe data passed into g_snprintf comes from both the server and the user and the return value will be used to specify the bounds of the data to be sent in the function mxit_queue_packet, potentially resulting in an out-of-bounds read of data which will be sent to the server, which might cause an information leak.\n\nFunction: mxit_queue_packet() Lines: 467-479\n \n \n 467\thlen = g_snprintf( header, sizeof( header ), \"id=%s%c\", purple_account_get_username( session->acc ), CP_REC_TERM );\t/* client mxitid */\n \n \tif ( session->http ) {\n \t\t/* http connection only */\n 471\thlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"s=\");\n \t\tif ( session->http_sesid > 0 ) {\n 473\thlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"%u%c\", session->http_sesid, CP_FLD_TERM );\t/* http session id */\n \t\t}\n \t\tsession->http_seqno++;\n 476\thlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"%u%c\", session->http_seqno, CP_REC_TERM );\t\t/* http request sequence id */\n \t}\n \n 479\thlen += g_snprintf( header + hlen, sizeof( header ) - hlen, \"cm=%i%c\", cmd, CP_REC_TERM ); \t\t\t\t\t\t/* packet command */\n \n\nA long user account returned at line 467 will potentially cause buffer overflows at lines 471, 473, 476 or 479.\n\nFunction: mxit_send_message() Lines: 808-817\n \n \n 808\tdatalen = g_snprintf( data, sizeof( data ),\n \t\"ms=%s%c%s%c%i%c%i\",\t\t/* \"ms\"=jid\\1msg\\1type\\1flags */\n to, CP_FLD_TERM, markuped_msg, CP_FLD_TERM, msgtype, CP_FLD_TERM, CP_MSG_MARKUP | CP_MSG_EMOTICON);\n \n \t/* free the resources */\n \tg_free( markuped_msg );\n \n \t/* queue packet for transmission */\n 817\tmxit_queue_packet( session, data, datalen, CP_CMD_TX_MSG );\n \n\nData passed to mxit_send_message comes from the server and the user in the variables to and msg respectively. The variable msg might also contain data coming from the server if it\u00d5s the result of a clicked link. This will subsequently result in an out-of-bounds read of data sent back to the server in mxit_queue_packet, which might cause an information leak.\n\nFunction: mxit_write_http_post() Lines: 355-369\n \n \n 355\treqlen = g_snprintf( request, 256,\n \t\t\t\t\t\"POST %s?%s HTTP/1.1\\r\\n\"\n \t\t\t\t\t\"User-Agent: \" MXIT_HTTP_USERAGENT \"\\r\\n\"\n \t\t\t\t\t\"Content-Type: application/octet-stream\\r\\n\"\n \t\t\t\t\t\"Host: %s\\r\\n\"\n \t\t\t\t\t\"Content-Length: %d\\r\\n\"\n \t\t\t\t\t\"\\r\\n\",\n \t\t\t\t\tsession->http_server,\n \t\t\t\t\tpurple_url_encode( packet->header ),\n \t\t\t\t\thost_name,\n \t\t\t\t\tpacket->datalen - MXIT_MS_OFFSET\n \t);\n \n \t/* copy over the packet body data (could be binary) */\n 369\tmemcpy( request + reqlen, packet->data + MXIT_MS_OFFSET, \n packet->datalen - MXIT_MS_OFFSET );\n \n\nThe size of the packet->header combined with the URL and the other data being printed could result in a value larger than 256, resulting in a buffer overflow at line 369. The packet->header will be set in mxit_queue_packet, which is discussed earlier in this advisory.\n\nFunction: mxit_send_splashclick() Lines 1136-1142\n \n \n 1136\tdatalen = g_snprintf( data, sizeof( data ),\n \t\"ms=%s\",\t/* \"ms\"=splashId */\n \t\t\t\t\t\t\t\tsplashid\n \t);\n \n \t/* queue packet for transmission */\n 1142\tmxit_queue_packet( session, data, datalen, CP_CMD_SPLASHCLICK );\n \n\nSplash id is data that comes from the server, which is used in the g_snprintf() call, potentially resulting in an out-of-bounds read in mxit_queue_packet. Since this data is sent back to the server, this could result in an information leak.\n\nFunction: mxit_send_suggest_search() Lines: 937-946\n \n \n 937\tdatalen = g_snprintf( data, sizeof( data ),\n \"ms=%i%c%s%c%i%c%i%c%i\",CP_SUGGEST_SEARCH, CP_FLD_TERM, text, CP_FLD_TERM, max, CP_FLD_TERM, 0, CP_FLD_TERM, nr_attrib );\n \n \t/* add attributes */\n \tfor ( i = 0; i < nr_attrib; i++ )\n 942\tdatalen += g_snprintf( data + datalen, sizeof( data ) - datalen, \"%c%s\", CP_FLD_TERM, attribute[i] );\n \n \t/* queue packet for transmission */\n 946\tmxit_queue_packet( session, data, datalen, CP_CMD_SUGGESTCONTACTS );\n \n\nThe value text will come from the user, who could be tricked into entering a potential long string. This could then result in a buffer overflow at line 942 and an out-of-bounds read leading to an information leak at line 946.\n\nFunction: mxit_send_msgevent Lines 1162-1168\n \n \n 1162\tdatalen = g_snprintf( data, sizeof( data ),\n \t\"ms=%s%c%s%c%i\",\t\t/* \"ms\"=contactAddress \\1 id \\1 event */\n \tto, CP_FLD_TERM, id, CP_FLD_TERM, event);\n \n \t/* queue packet for transmission */\n 1168\tmxit_queue_packet( session, data, datalen, CP_CMD_MSGEVENT );\n \n\nThe issue is the same as before, to and id come from the server and are used in line 1162, which could result in an information leak at line 1168.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0137\n\nPrevious Report\n\nTALOS-2016-0135\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0136", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0136", "title": "Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities", "type": "talos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:24:56", "bulletinFamily": "info", "cvelist": ["CVE-2016-2380"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0123\n\n## Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2380\n\n### DESCRIPTION\n\nAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.\n\n### CVSSv3 SCORE\n\n3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nWhen a message is sent by Pidgin to the server, it has to convert the markup from libpurple (HTML-based) markup to MXIT markup. To do this, the function mxit_convert_markup_tx defined in the file markup.c will be called. This function will copy the data from the old string message to the new string mx, converting it along the way.\n\nHowever, at lines 1146-1154 it will convert the markup to change the font color without checking the length of the string that is remaining:\n \n \n 1146\telse if ( purple_str_has_prefix( &message[i], \"<font color=\" ) ) {\n \t\t\t/* font colour */\n \t\t\ttag = g_new0( struct tag, 1 );\n \t\t\ttag->type = MXIT_TAG_COLOR;\n \t\t\ttagstack = g_list_append( tagstack, tag );\n \t\t\tmemset( color, 0x00, sizeof( color ) );\n \t\t\tmemcpy( color, &message[i + 13], 7 );\n \t\t\tg_string_append( mx, color );\n 1154\t}\n \n\nIt will compare if the string starts with <font color= at the current position in the message at line 1146. If it does it will copy 7 bytes from 1 element past the end of `=`, presumably to skip over the `#` tag. However, if `<font color=` is at the end of the string then this will result in an out-of-bounds read of message. Since one byte after the end of the `=` will be skipped over, the NULL termination string will be skipped over, allowing the 7 bytes of data behind the string to be copied to the mx, which is the string that will be sent to the server.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0128\n\nPrevious Report\n\nTALOS-2016-0120\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0123", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0123", "title": "Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-01T21:24:56", "bulletinFamily": "info", "cvelist": ["CVE-2016-2367"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0135\n\n## Pidgin MXIT Avatar Length Memory Disclosure Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2367\n\n### DESCRIPTION\n\nAn information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.\n\n### CVSSv3 SCORE\n\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nWhen an avatar is received via the MXIT server, the server will send a CP_CHUNK_GET_AVATAR command. This will be handled by the function mxit_parse_cmd_media at lines 2208-2234 of mxit/protocol.c:\n \n \n case CP_CHUNK_GET_AVATAR :\t\t\t/* get avatars */\n {\n \tstruct getavatar_chunk chunk;\n \tstruct contact* contact = NULL;\n \t/* decode the chunked data */\n \tmemset( &chunk, 0, sizeof( struct getavatar_chunk ) );\n \tmxit_chunk_parse_get_avatar( &records[0]->fields[0]->data[sizeof( char ) + sizeof( int )], records[0]->fields[0]->len, &chunk );\n \n \t/* update avatar image */\n \tif ( chunk.data ) {\n \t\tpurple_debug_info( MXIT_PLUGIN_ID, \"updating avatar for contact '%s'\\n\", chunk.mxitid );\n \n \t\tcontact = get_mxit_invite_contact( session, chunk.mxitid );\n \n \t\tif ( contact ) {\n \t\t\t/* this is an invite (add image to the internal image store) */\n \t\t\tcontact->imgid = purple_imgstore_add_with_id( g_memdup( chunk.data, chunk.length ), chunk.length, NULL );\n \n \t\t\t/* show the profile */\n \t\t\tmxit_show_profile( session, chunk.mxitid, contact->profile );\n \t\t}\n \t\telse {\n \t\t\t/* this is a contact's avatar, so update it */\n \t\t\tpurple_buddy_icons_set_for_user( session->acc, chunk.mxitid, g_memdup( chunk.data, chunk.length ), chunk.length, chunk.avatarid );\n \t\t}\n \t}\n }\n \n\nAt line 2215 it will call the function mxit_chunk_parse_get_avatar() which will read the size of the chunk from the data at line 683 of mxit/chunk.c:\n \n \n pos += get_int32( &chunkdata[pos], &(avatar->length) );\n \n\nIf the length of the chunk that was specified is longer than the buffer, it will result in an out-of-bounds read and the resulting data in memory will be written after the received avatar. Depending on the memory layout of the program at the time the vulnerability is triggered this could result in a scenario where either program crashes because pages are not accessible or where sensitive data is leaked from memory into the file. The user may decide to copy this avatar to other places or might send it to another user which would result in the leaking of this data.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0136\n\nPrevious Report\n\nTALOS-2016-0134\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0135", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0135", "title": "Pidgin MXIT Avatar Length Memory Disclosure Vulnerability", "type": "talos", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:17", "bulletinFamily": "info", "cvelist": ["CVE-2016-2366"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0134\n\n## Pidgin MXIT Table Command Denial of Service Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2366\n\n### DESCRIPTION\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.\n\n### CVSSv3 SCORE\n\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nIn the function command_table in mxit/formcmds.c at lines 531 and 535, the number of rows and columns for the table are received from the server.\n \n \n 531 nr_columns = atoi(tmp);\n ..\n 535 nr_rows = atoi(tmp);\n \n\nThese two values are then used in loops at line 547 and 548 and to access an array at line 549.\n \n \n 547 for (i = 0; i < nr_rows; i++) {\n \tfor (j = 0; j < nr_columns; j++) {\n 549\t\tpurple_debug_info(MXIT_PLUGIN_ID, \" Row %i Column %i = %s\\n\", i, j, coldata[i*nr_columns + j]);\n \t}\n }\n \n\nAn attacker can cause access to unmapped memory addresses, resulting in a denial of service.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0135\n\nPrevious Report\n\nTALOS-2016-0133\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0134", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0134", "title": "Pidgin MXIT Table Command Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:20", "bulletinFamily": "info", "cvelist": ["CVE-2016-2378"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0120\n\n## Pidgin MXIT get_utf8_string Code Execution Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2378\n\n### DESCRIPTION\n\nA buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.\n\n### CVSSv3 SCORE\n\n8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nThe function get_utf8_string, defined at line 231 in libpurple/protocols/mxit/chunk.c will take a maximum string length as argument. Usually this is passed in as the size of the string str that is being written to.\n\nIt will read the length of the string at line 238 and check to ensure that it is not larger than the maximum string length at line 240. If it is, it will set the length to be equal to maxstrlen.\n \n \n 238\tpos += get_int16( &chunkdata[pos], &len );\n 239\t\n 240\tif ( len > maxstrlen ) {\n \t\u2026\n 243 skip = len - maxstrlen;\n 244\tlen = maxstrlen;\n 245\t}\n \n\nHowever, len is a signed short that will be read from nthos, which will read an unsigned integer, but because len is signed it will be cast to a signed integer. If the value of len is a large positive value it will be cast to a negative value, bypassing the size check at line 240.\n\nThe call to get_data at line 248 will then result in a buffer overflow: 248 pos += get_data( &chunkdata[pos], str, len );\n\nThe function get_data will end up calling memcpy which expects an unsigned size parameter and will interpret a negative value as a large positive value.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0123\n\nPrevious Report\n\nTALOS-2016-0119\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0120", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0120", "title": "Pidgin MXIT get_utf8_string Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:30", "bulletinFamily": "info", "cvelist": ["CVE-2016-2369"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0137\n\n## Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2369\n\n### DESCRIPTION\n\nAn NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.\n\n### CVSS v3 SCORE\n\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nThe function mxit_parse_packet() in mxit/protocol.c is called when data is received from an MXIT server to parse the relevant stream of bytes into an MXIT packet.\n\nWhen the packet is received, a new record is created in the packet to reflect the data (near line 2672):\n \n \n rec = NULL;\n field = NULL;\n memset( &packet, 0x00, sizeof( struct rx_packet ) );\n \trec = add_record( &packet );\n \n\nThe function add_record does the following:\n \n \n static struct record* add_record( struct rx_packet* p )\n {\n \tstruct record*\trec;\n \trec = g_new0( struct record, 1 );\n \tp->records = g_realloc( p->records, \n \tsizeof( struct record* ) * ( p->rcount + 1 ) );\n \tp->records[p->rcount] = rec;\n \tp->rcount++;\n \n \treturn rec;\n }\n \n\nThis will create a record in the packet and increase the rcount variable by 1.\n\nAt lines 2679-2744 the packet is further analyzed and broken up into records and fields depending on if the separator being used is 0x0, 0x1 or 0x2.\n\nThe following code if of particular interest:\n \n \n while ( ( i < session->rx_i ) && ( !pbreak ) ) {\n \tswitch ( session->rx_dbuf[i] ) {\n \t\tcase CP_SOCK_REC_TERM :\n \t\t\t/* new record */\n \t\t\tif ( packet.rcount == 1 ) {\n \t\t\t\t/* packet command */\n \t\t\t\tpacket.cmd = atoi( packet.records[0]->fields[0]->data );\n \t\t\t}\n \n\nThe value CP_SOCK_REC_TERM indicates that the end of a record is reached and it will retrieve the command that the packet is sending. However, if the packet starts with a NULL byte then the fields value for the record will not have been initialized resulting in a crash when trying to dereference it at line 2686.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0138\n\nPrevious Report\n\nTALOS-2016-0136\n", "edition": 12, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0137", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0137", "title": "Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:25:16", "bulletinFamily": "info", "cvelist": ["CVE-2016-2377"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0119\n\n## Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2377\n\n### DESCRIPTION\n\nA buffer vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out of bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.\n\n### CVSSv3 SCORE\n\n8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nWhen receiving a reply to a HTTP request from the HTTP server the callback function mxit_cb_http_read(), defined in mxit/http.c, will be called.\n\nThis function will parse the HTTP headers and then send the body off for processing as a regular MXIT packet. As part of HTTP header parsing that occurs, the CONTENT_LENGTH is read from the headers at lines 178-185:\n \n \n 178\t\tch += strlen( HTTP_CONTENT_LEN );\n \t\ttmp = strchr( ch, '\\r' );\n \t\tif ( !tmp ) {\n purple_debug_error( MXIT_PLUGIN_ID, \"Received bad HTTP reply packet (ignoring packet)\\n\" );\n \t\t\tgoto done;\n \t\t}\n \t\ttmp = g_strndup( ch, tmp - ch );\n 185\t\tbodylen = atoi( tmp );\n \n\nBodylen is defined as a signed integer and thus the input read from the HTTP header could be negative. There is a size check at lines 189-192:\n \n \n 189\t\tif ( buflen + bodylen >= CP_MAX_PACKET ) {\n \t\t\t/* this packet is way to big */\n \t\t\tgoto done;\n 192\t\t}\n \n\nHowever this check will pass if bodylen is set to a negative value.\n\nAt line 206 bodylen is copied to the variable session->rx_i which is an unsigned integer, thus casting a potential negative bodylen to a large positive value.\n \n \n 206\t\tsession->rx_i = bodylen;\n \n\nThis value is then later used to control a loop when the packet is processed in the function mxit_parse_packet in mxit/procotol.c at line 2669:\n \n \n 2669\t\twhile ( i < session->rx_i ) {\n \n\nThe index i is subsequently used a multiple locations to write to the buffer rx_dbuf, including at lines 2713, 2720 and 2729. This could allow an attacker to execute a buffer overflow on the buffer rx_dbuf.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0120\n\nPrevious Report\n\nTALOS-2016-0118\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0119", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0119", "title": "Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:06", "bulletinFamily": "info", "cvelist": ["CVE-2016-2370"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0138\n\n## Pidgin MXIT Custom Resource Denial of Service Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2370\n\n### DESCRIPTION\n\nA denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle can send invalid data to trigger this vulnerability.\n\n### CVSSv3 SCORE\n\n5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nThe function mxit_chunk_parse_cr() in the file mxit/chunk.c is used to parse custom resources like a new splash image. These type of resources are sent as part of a multimedia packet.\n\nAt lines 573 the length of the chunk is read from the chunk being parsed without bounds checks. This chunk can contain one or more resource chuncks that are set at line 577. The size of the resource chunk is contained at the top of the chunk and again the size is read without bounds checks at lines 587 and 604:\n \n \n 573\tpos += get_int32( &chunkdata[pos], &chunklen );\n \n \t/* parse the resource chunks */\n \twhile ( chunklen > 0 ) {\n 577\t\tgchar* chunk = &chunkdata[pos];\n \n \t\t/* start of chunk data */\n \t\tpos += MXIT_CHUNK_HEADER_SIZE;\n \n 582\t\tswitch ( chunk_type( chunk ) ) {\n \t\t\tcase CP_CHUNK_SPLASH :\t\t\t/* splash image */\n \t\t\t\t{\n \t\t\t\t\tstruct splash_chunk* splash = g_new0( struct splash_chunk, 1 );\n \n 587\t\t\t\t\tmxit_chunk_parse_splash( &chunkdata[pos], chunk_length( chunk ), splash );\n \n \t\t\t\t\tcr->resources = g_list_append( cr->resources, splash );\n \t\t\t\t\tbreak;\n \t\t\t\t}\n \t\t\tcase CP_CHUNK_CLICK :\t\t\t/* splash click */\n \t\t\t\t{\n \t\t\t\t\tstruct splash_click_chunk* click = g_new0( struct splash_click_chunk, 1 );\n \n \t\t\t\t\tcr->resources = g_list_append( cr->resources, click );\n \t\t\t\t\tbreak;\n \t\t\t\t}\n \t\t\tdefault:\n \t\t\t\tpurple_debug_info( MXIT_PLUGIN_ID, \"Unsupported custom resource chunk received (%i)\\n\", chunk_type( chunk) );\n \t\t}\n \n \t\t/* skip over data to next resource chunk */\n 604\t\tpos += chunk_length( chunk );\n \t\tchunklen -= ( MXIT_CHUNK_HEADER_SIZE + chunk_length( chunk ) );\n \n\nThis length is then used to access data in the chunk at lines 582 and 587, resulting in an out-of-bounds read. This data is not sent back to the server, so it is unlikely to result in an information leak vulnerability, but could result in a denial of service when accessing the out-of-bounds memory if the accessed location is not an allocated memory region.\n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0139\n\nPrevious Report\n\nTALOS-2016-0137\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0138", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0138", "title": "Pidgin MXIT Custom Resource Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-01T21:24:58", "bulletinFamily": "info", "cvelist": ["CVE-2016-2374"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0142\n\n## Pidgin MXIT MultiMX Message Code Execution Vulnerability\n\n##### June 21, 2016\n\n##### CVE Number\n\nCVE-2016-2374\n\n### DESCRIPTION\n\nAn exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.\n\n### CVSSv3 SCORE\n\n8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### TESTED VERSIONS\n\nPidgin 2.10.11\n\n### PRODUCT URLs\n\nhttps://www.pidgin.im/\n\n### DETAILS\n\nThe function multimx_message_received defined in mxit/multimx.c will be called when a message is received from a MultiMX room. This message will be parsed and it will check if the message is coming from a particular user (if it contains a nickname) or from the system.\n\nIf the received message starts with a `<` then a nickname is embedded and the server will search for a corresponding `>`. The code to handle is at lines 358-374:\n \n \n 354\tif (msg[0] == '<') {\n \t\t/* Message contains embedded nickname - must be from contact */\n \t\tunsigned int i;\n \n \t\tfor (i = 1; i < strlen(msg); i++) {\t\t\n \t\t\t/* search for end of nickname */\n \t\t\tif (msg[i] == '>') {\n \t\t\t\tmsg[i] = '\\0';\n \t\t\t\tg_free(mx->from);\n \t\t\t\tmx->from = g_strdup(&msg[1]);\n 367\t\t\t\tmsg = &msg[i+2];\t\t/* skip '>' and newline */\n \t\t\t\tbreak;\n \t\t\t}\n \t\t}\n \n \t\t/* now do markup processing on the message */\n \t\tmx->chatid = multimx->chatid;\n 374\t\tmxit_parse_markup(mx, msg, strlen(msg), msgtype, msgflags);\n \n\nIf a message only contains a nickname followed by a NULL, then msg at line 367 will point out of bounds of the string.\n\nThis string is subsequently processed for markup at line 374. The mxit_parse_markup function allows for a number of scenarios to exploit this out-of-bounds access vulnerability. If the out-of-bounds data contains some user-controlled values, then the attacker can direct the markup down a number of paths. This can include an information leak where the markup contains a directive to download an emoticon string or a command to download an image (MXIT_CMD_IMAGE), both will send data from the string back via a URL request.\n\nAnother avenue of attack is to perform an out-of-bounds write which could potentially lead to code execution. The string being parsed is written to at multiple locations, including at line 578 in mxit/formcmds.c:\n \n \n \tstart = message + 2;\n \tend = strstr(start, \":\");\n \tif (end) {\n \t\t/* end of a command found */\n 578\t\t*end = '\\0';\t\t/* terminate command string */\n \n\nAnd line 864 of of markup.c:\n \n \n \tch = strstr( &message[i + 1], \"$\" );\n \tif ( ch ) {\n \t\t/* end found */\n 864\t\t*ch = '\\0';\n \n\n### TIMELINE\n\n2016-04-13 - Vendor Notification \n2016-06-21 - Public Disclosure \n\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0143\n\nPrevious Report\n\nTALOS-2016-0141\n", "edition": 11, "modified": "2016-06-21T00:00:00", "published": "2016-06-21T00:00:00", "id": "TALOS-2016-0142", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0142", "title": "Pidgin MXIT MultiMX Message Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
