CVE-2016-2371

2016-06-2300:00:00

ubuntu.com

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

80.7%

JSON

An out-of-bounds write vulnerability exists in the handling of the MXIT
protocol in Pidgin. Specially crafted MXIT data sent via the server could
cause memory corruption resulting in code execution.

Notes

Author	Note
seth-arnold	This patch doesn’t enforce upper-limits; it seems insufficient to me.
mdeslaur	patch listed in upstream avisory is wrong, it is actually the fix for CVE-2016-2369

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchpidgin< 1:2.10.3-0ubuntu1.7UNKNOWN
ubuntu14.04noarchpidgin< 1:2.10.9-0ubuntu3.3UNKNOWN
ubuntu15.10noarchpidgin< 1:2.10.11-0ubuntu4.2UNKNOWN
ubuntu16.04noarchpidgin< 1:2.10.12-0ubuntu5.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	pidgin	< 1:2.10.3-0ubuntu1.7	UNKNOWN
ubuntu	14.04	noarch	pidgin	< 1:2.10.9-0ubuntu3.3	UNKNOWN
ubuntu	15.10	noarch	pidgin	< 1:2.10.11-0ubuntu4.2	UNKNOWN
ubuntu	16.04	noarch	pidgin	< 1:2.10.12-0ubuntu5.1	UNKNOWN