CVE-2016-2380
low
CVSS v3
3.1
CVSS v2
4.3
VIR risk
3.1
Description
An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.
Predictions
Exploit likelihood
42%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-2380
Vendor advisory: cret@cert.org — http://www.pidgin.im/news/security/?id=96
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-2380.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | 8.0 | affected | |
| ubuntu | 12.04 | affected | |
| ubuntu | 14.04 | affected | |
| ubuntu | 15.10 | affected | |
| debian | bookworm | fixed | 2.11.0-1 |
| debian | bullseye | fixed | 2.11.0-1 |
| debian | forky | fixed | 2.11.0-1 |
| debian | sid | fixed | 2.11.0-1 |
| debian | trixie | fixed | 2.11.0-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| pidgin | pidgin | {"endIncluding":"2.10.12"} | |
References
- https://www.suse.com/security/cve/CVE-2016-2380.html
- http://www.debian.org/security/2016/dsa-3620
- http://www.pidgin.im/news/security/?id=96
- http://www.securityfocus.com/bid/91335
- http://www.talosintelligence.com/reports/TALOS-2016-0123/
- http://www.ubuntu.com/usn/USN-3031-1
- https://security.gentoo.org/glsa/201701-38
- https://security-tracker.debian.org/tracker/CVE-2016-2380
CWEs
CWE-125 CWE-200
Verify integrity in audit chain (admin only). AS-IS.