Bugzilla – Bug 991709
VUL-0: CVE-2016-2373: pidgin: MXIT Contact Mood Denial of Service Vulnerability
Last modified: 2018-07-06 14:37:17 UTC
rh#1348877 A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability. External references: http://www.talosintel.com/reports/TALOS-2016-0141/ http://www.pidgin.im/news/security/?id=106 Upstream fixes: https://bitbucket.org/pidgin/main/commits/e6159ad42c4c References: https://bugzilla.redhat.com/show_bug.cgi?id=1348877
sle11 and sle12 are affected
bugbot adjusting priority
SLE11 backport here: https://build.suse.de/request/show/121073 SLE12SP2 updated to 2.11.0 hence not affected.
SUSE-SU-2016:2416-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 991691,991709,991711,991712,991715 CVE References: CVE-2016-2367,CVE-2016-2370,CVE-2016-2371,CVE-2016-2372,CVE-2016-2373 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): pidgin-2.6.6-0.29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): pidgin-2.6.6-0.29.1
With Mxit officially shut down its services in 2016 and pidgin dropped support to the protocol since 2.12. Efforts to backport the fix won't make much sense. Discussed with Johannes and decided to close this as WONTFIX.