Bugzilla – Bug 991691
VUL-0: CVE-2016-2371: pidgin: MXIT Extended Profiles Code Execution Vulnerability
Last modified: 2018-07-06 14:37:00 UTC
rh#1348873 An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution. External references: http://www.talosintel.com/reports/TALOS-2016-0139/ http://www.pidgin.im/news/security/?id=104 Upstream fix: https://bitbucket.org/pidgin/main/commits/7b52ca213832 https://bugzilla.redhat.com/show_bug.cgi?id=1348873
both in sle11 and sle12.
bugbot adjusting priority
Backport to SLE11 here: https://build.suse.de/request/show/121071 SLE12SP2 updated to 2.11.0 hence not affected.
New SLE11 submission here: https://build.suse.de/request/show/121072 Use the patch exported from mercurial instead.
SUSE-SU-2016:2416-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 991691,991709,991711,991712,991715 CVE References: CVE-2016-2367,CVE-2016-2370,CVE-2016-2371,CVE-2016-2372,CVE-2016-2373 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): pidgin-2.6.6-0.29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): pidgin-2.6.6-0.29.1
With Mxit officially shut down its services in 2016 and pidgin dropped support to the protocol since 2.12. Efforts to backport the fix won't make much sense. Discussed with Johannes and decided to close this as WONTFIX.