CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS
Percentile
71.5%
CVE-2016-2380
An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.
3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Pidgin 2.10.11
When a message is sent by Pidgin to the server, it has to convert the markup from libpurple (HTML-based) markup to MXIT markup. To do this, the function mxit_convert_markup_tx defined in the file markup.c will be called. This function will copy the data from the old string message to the new string mx, converting it along the way.
However, at lines 1146-1154 it will convert the markup to change the font color without checking the length of the string that is remaining:
1146 else if ( purple_str_has_prefix( &message[i], "<font color=" ) ) {
/* font colour */
tag = g_new0( struct tag, 1 );
tag->type = MXIT_TAG_COLOR;
tagstack = g_list_append( tagstack, tag );
memset( color, 0x00, sizeof( color ) );
memcpy( color, &message[i + 13], 7 );
g_string_append( mx, color );
1154 }
It will compare if the string starts with <font color= at the current position in the message at line 1146. If it does it will copy 7 bytes from 1 element past the end of =
, presumably to skip over the #
tag. However, if <font color=
is at the end of the string then this will result in an out-of-bounds read of message. Since one byte after the end of the =
will be skipped over, the NULL termination string will be skipped over, allowing the 7 bytes of data behind the string to be copied to the mx, which is the string that will be sent to the server.
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure
Discovered by Yves Younan of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2016-0128
Previous Report
TALOS-2016-0120
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS
Percentile
71.5%