Arch Linux Security Advisory ASA-201606-24 ========================================== Severity: Critical Date : 2016-06-25 CVE-ID : CVE-2016-2365 CVE-2016-2366 CVE-2016-2367 CVE-2016-2368 CVE-2016-2369 CVE-2016-2370 CVE-2016-2371 CVE-2016-2372 CVE-2016-2373 CVE-2016-2374 CVE-2016-2375 CVE-2016-2376 CVE-2016-2377 CVE-2016-2378 CVE-2016-2380 CVE-2016-4323 Package : libpurple Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libpurple before version 2.11.0-1 is vulnerable to multiple issues including information leakage, denial of service, directory traversal and arbitrary code execution. Resolution ========== Upgrade to 2.11.0-1. # pacman -Syu "libpurple>=2.11.0-1" The problems have been fixed upstream in version 2.11.0. Workaround ========== All flaws have been found in the support for the MXit protocol. Therefore libpurple is only vulnerable when this protocol is used, so disabling MXit accounts until the package can be upgraded should be enough. Description =========== - CVE-2016-2365 (denial of service) Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. - CVE-2016-2366 (denial of service) Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. - CVE-2016-2367 (information leakage, denial of service) Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. This issue can also potentially leak sensitive information from memory into the data after the avatar which can then be transferred when the avatar is copied. - CVE-2016-2368 (arbitrary code execution) Specially crafted MXIT data sent via the server could potentially result in a buffer overflow. The MXIT plugin for Pidgin uses the function g_snprintf() in about 27 places where it receives the return value of the function. When g_snprintf() returns, it will return the number of bytes that would have been written had the buffer been large enough, not the amount of bytes that have actually been written. The MXIT plugin uses the return value of g_snprintf() as an index or an offset into the string that is being manipulated in multiple locations without making sure that the return value is within bounds. - CVE-2016-2369 (denial of service) Specially crafted MXIT data sent via the server could potentially result in a NULL pointer dereference. - CVE-2016-2370 (denial of service) Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. - CVE-2016-2371 (arbitrary code execution) Specially crafted MXIT data sent via the server could potentially result in a buffer overflow. The function mxit_parse_cmd_extprofile() is called when extended profile packets are received from the server. A malicious server, an attacker who intercepts the network traffic or a potentially malicious user (if the data is not validated by the server) can send an invalid number of records, which could result in an out-of-bounds write of data. - CVE-2016-2372 (information leakage, denial of service) Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. This issue can also potentially leak sensitive information by appending sensitive information from memory to the end of a received file. - CVE-2016-2373 (denial of service) Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability. - CVE-2016-2374 (arbitrary code execution) Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution. - CVE-2016-2375 (information leakage) Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. In the function mxit_parse_cmd_suggestcontacts() in the file mxit/protocol.c at line 2020 the number of attributes will be read from the incoming packet into the variable count. - CVE-2016-2376 (arbitrary code execution) Specially crafted MXIT data sent from the server could potentially result in a buffer overflow. The function mxit_cb_rx in the file mxit/protocol.c is a callback function will be called by Pidgin whenever data is sent from the MXIT server. When data is received, the size of the incoming packet will also be received at line 2825. There is a check at line 2826 to ensure that this data isn't larger than the maximum size of that an MXIT packet can be which is defined as CP_MAX_PACKET. This is also the size of the buffer that the data is read into. However if the size is larger than CP_MAX_PACKET, an error will be logged but execution will simply continue. Moreover, if the size is negative (this is possible since rx_res is an int) then no error will be logged and execution will also continue. - CVE-2016-2377 (arbitrary code execution) Specially crafted MXIT data sent by the server could potentially result in an out of bounds write of one byte. - CVE-2016-2378 (arbitrary code execution) Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. - CVE-2016-2380 (information leakage) Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read. - CVE-2016-4323 (directory traversal) Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability. Impact ====== A remote attacker might be able to access sensitive information, cause a denial of service or execute arbitrary code on the affected host. References ========== http://blog.talosintel.com/2016/06/vulnerability-spotlight-pidgin.html https://access.redhat.com/security/cve/CVE-2016-2365 https://access.redhat.com/security/cve/CVE-2016-2366 https://access.redhat.com/security/cve/CVE-2016-2367 https://access.redhat.com/security/cve/CVE-2016-2368 https://access.redhat.com/security/cve/CVE-2016-2369 https://access.redhat.com/security/cve/CVE-2016-2370 https://access.redhat.com/security/cve/CVE-2016-2371 https://access.redhat.com/security/cve/CVE-2016-2372 https://access.redhat.com/security/cve/CVE-2016-2373 https://access.redhat.com/security/cve/CVE-2016-2374 https://access.redhat.com/security/cve/CVE-2016-2375 https://access.redhat.com/security/cve/CVE-2016-2376 https://access.redhat.com/security/cve/CVE-2016-2377 https://access.redhat.com/security/cve/CVE-2016-2378 https://access.redhat.com/security/cve/CVE-2016-2380 https://access.redhat.com/security/cve/CVE-2016-4323