Bug 991703 (CVE-2016-2366) - VUL-0: CVE-2016-2366: pidgin: MXIT Table Command Denial of Service Vulnerability
Summary: VUL-0: CVE-2016-2366: pidgin: MXIT Table Command Denial of Service Vulnerability
Status: RESOLVED WONTFIX
Alias: CVE-2016-2366
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Felix Zhang
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170408/
Whiteboard: CVSSv2:RedHat:CVE-2016-2366:2.6:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-02 13:09 UTC by Marcus Meissner
Modified: 2018-07-06 14:37 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-08-02 13:09:02 UTC 
rh#1348862

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

External references:

http://www.talosintel.com/reports/TALOS-2016-0134/
http://www.pidgin.im/news/security/?id=99

Upstream fix:

https://bitbucket.org/pidgin/main/commits/abdc3025f6b8

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1348862
Comment 1 Marcus Meissner 2016-08-02 13:11:22 UTC 
code is in sle12
code seems not to be in sle11 pidgin
Comment 2 Swamp Workflow Management 2016-08-02 22:01:49 UTC 
bugbot adjusting priority
Comment 3 Felix Zhang 2016-09-12 12:36:49 UTC 
Fixed in 2.11.0. I can confirm the fix is in SLE12SP2 source code.
Comment 4 Felix Zhang 2018-06-11 13:45:50 UTC 
With Mxit officially shut down its services in 2016 and pidgin dropped support to the protocol since 2.12. Efforts to backport the fix won't make much sense.
Discussed with Johannes and decided to close this as WONTFIX.