CVE-2016-2374
CVSS6.8
发布时间 :2017-01-06 16:59:00
修订时间 :2017-03-29 21:59:00
NMP    

[原文]An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.


[CNNVD]CNNVD数据暂缺。


[机译]Google 翻译(企业版):

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-125| CWE-200 []

- CPE (受影响的平台与产品)

cpe:/o:canonical:ubuntu_linux:15.10
cpe:/o:debian:debian_linux:8.0
cpe:/a:pidgin:pidgin:2.10.12
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2374
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2374
(官方数据源) NVD

- 其它链接及资源

http://www.debian.org/security/2016/dsa-3620
(VENDOR_ADVISORY)  DEBIAN  DSA-3620
http://www.pidgin.im/news/security/?id=107
(VENDOR_ADVISORY)  CONFIRM  http://www.pidgin.im/news/security/?id=107
http://www.securityfocus.com/bid/91335
(VENDOR_ADVISORY)  BID  91335
http://www.talosintelligence.com/reports/TALOS-2016-0142/
(VENDOR_ADVISORY)  MISC  http://www.talosintelligence.com/reports/TALOS-2016-0142/
http://www.ubuntu.com/usn/USN-3031-1
(VENDOR_ADVISORY)  UBUNTU  USN-3031-1
https://security.gentoo.org/glsa/201701-38
(UNKNOWN)  GENTOO  GLSA-201701-38

- 漏洞信息 (F137873)

Ubuntu Security Notice USN-3031-1 (PacketStormID:F137873)
2016-07-12 00:00:00
Ubuntu  security.ubuntu.com
advisory,remote,denial of service,arbitrary,protocol
linux,ubuntu
CVE-2016-2365,CVE-2016-2366,CVE-2016-2367,CVE-2016-2368,CVE-2016-2369,CVE-2016-2370,CVE-2016-2371,CVE-2016-2372,CVE-2016-2373,CVE-2016-2374,CVE-2016-2375,CVE-2016-2376,CVE-2016-2377,CVE-2016-2378,CVE-2016-2380,CVE-2016-4323
[点击下载]

Ubuntu Security Notice 3031-1 - Yves Younan discovered that Pidgin contained multiple issues in the MXit protocol support. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code.

============================================================================
Ubuntu Security Notice USN-3031-1
July 12, 2016

pidgin vulnerabilities
============================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Pidgin could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- pidgin: graphical multi-protocol instant messaging client for X

Details:

Yves Younan discovered that Pidgin contained multiple issues in the MXit
protocol support. A remote attacker could use this issue to cause Pidgin to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  libpurple0                      1:2.10.11-0ubuntu4.2

Ubuntu 14.04 LTS:
  libpurple0                      1:2.10.9-0ubuntu3.3

Ubuntu 12.04 LTS:
  libpurple0                      1:2.10.3-0ubuntu1.7

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References:
  http://www.ubuntu.com/usn/usn-3031-1
  CVE-2016-2365, CVE-2016-2366, CVE-2016-2367, CVE-2016-2368,
  CVE-2016-2369, CVE-2016-2370, CVE-2016-2371, CVE-2016-2372,
  CVE-2016-2373, CVE-2016-2374, CVE-2016-2375, CVE-2016-2376,
  CVE-2016-2377, CVE-2016-2378, CVE-2016-2380, CVE-2016-4323

Package Information:
  https://launchpad.net/ubuntu/+source/pidgin/1:2.10.11-0ubuntu4.2
  https://launchpad.net/ubuntu/+source/pidgin/1:2.10.9-0ubuntu3.3
  https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.7





    

- 漏洞信息 (F137931)

Debian Security Advisory 3620-1 (PacketStormID:F137931)
2016-07-18 00:00:00
Debian  debian.org
advisory,remote,denial of service,arbitrary,vulnerability,protocol,info disclosure
cisco,linux,debian
CVE-2016-2365,CVE-2016-2366,CVE-2016-2367,CVE-2016-2368,CVE-2016-2369,CVE-2016-2370,CVE-2016-2371,CVE-2016-2372,CVE-2016-2373,CVE-2016-2374,CVE-2016-2375,CVE-2016-2376,CVE-2016-2377,CVE-2016-2378,CVE-2016-2380,CVE-2016-4323
[点击下载]

Debian Linux Security Advisory 3620-1 - Yves Younan of Cisco Talos discovered several vulnerabilities in the MXit protocol support in pidgin, a multi-protocol instant messaging client. A remote attacker can take advantage of these flaws to cause a denial of service (application crash), overwrite files, information disclosure, or potentially to execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3620-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 15, 2016                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pidgin
CVE ID         : CVE-2016-2365 CVE-2016-2366 CVE-2016-2367 CVE-2016-2368
                 CVE-2016-2369 CVE-2016-2370 CVE-2016-2371 CVE-2016-2372
                 CVE-2016-2373 CVE-2016-2374 CVE-2016-2375 CVE-2016-2376
                 CVE-2016-2377 CVE-2016-2378 CVE-2016-2380 CVE-2016-4323

Yves Younan of Cisco Talos discovered several vulnerabilities in the
MXit protocol support in pidgin, a multi-protocol instant messaging
client. A remote attacker can take advantage of these flaws to cause a
denial of service (application crash), overwrite files, information
disclosure, or potentially to execute arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 2.11.0-0+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 2.11.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.11.0-1.

We recommend that you upgrade your pidgin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXiTCbAAoJEAVMuPMTQ89E4nUP/jEpNVpOe4FcStlU24Cv1qOS
BsNBvRlp1XhhshzoBAWZSBTKFi4jqilOZUgjsHO76nHS7j0J4wzoWc36ZIp23O5p
KX9+A87ZdS4C3hI1YGgTdCcMTKSnWIrS1YcOW/0qBx7jdXt5EhFPKJa/byhHsp23
zguJ+glemJQ9uqpylc5om2udV4u9U5Nnc+Ga92zeR7Kefs20yRTLOef4Pd69LPwh
+zM0/qkI+JMii0yMpMJsIpMsXzQvzvgd4E6r3+NrWOHOCoZ8XZD4UvsR3Bnw8nvg
ed+hg2nj3uMWgXtv4Bdx+yUxsWdRFSjpiD1EXWmvzREgmDdrlnCGZB3yQbepA0Yi
lHsHEAwq3GZalLAeW8lwIQVaSLSREO6ZxcY7OxG2vdYzbkoQKCK7K4rR4T3yxB83
tAvYWRxCTMaeRxqUgLEAq0iMqQhvrmNDDEt5VVsE1bSn9gig6MkSGepFdzx4Yipq
+a8XUgJt8tLbpuTD9Pg9Ig8Mee0SaHSxr8bP6fFlfJu0Wt59MKn3wNzcqPhb+3Ie
FtLyo6XBC4hnsoVlRT569fwkuYaI/kptT95tKiqyYI+RFnSW0WP4dycmo2pHOuIP
mckCbAM7s+vuCGe1YQHJiOCeTrIDKAkKPbudjBL/g2zbcY+KayMXTvZbbW+ma8c0
wMiDOiIYUd4xMSvjBeF0
=QNWs
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F140538)

Gentoo Linux Security Advisory 201701-38 (PacketStormID:F140538)
2017-01-17 00:00:00
Gentoo  security.gentoo.org
advisory,arbitrary,vulnerability
linux,gentoo
CVE-2016-1000030,CVE-2016-2365,CVE-2016-2366,CVE-2016-2367,CVE-2016-2368,CVE-2016-2369,CVE-2016-2370,CVE-2016-2371,CVE-2016-2372,CVE-2016-2373,CVE-2016-2374,CVE-2016-2375,CVE-2016-2376,CVE-2016-2377,CVE-2016-2378,CVE-2016-2379,CVE-2016-2380,CVE-2016-4323
[点击下载]

Gentoo Linux Security Advisory 201701-38 - Multiple vulnerabilities have been found in Pidgin, the worst of which could lead to execution of arbitrary code. Versions less than 2.11.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201701-38
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Pidgin: Multiple vulnerabilities
     Date: January 17, 2017
     Bugs: #586698
       ID: 201701-38

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Pidgin, the worst of which
could lead to execution of arbitrary code.

Background
==========

Pidgin is a client for a variety of instant messaging protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  net-im/pidgin                < 2.11.0                  >= 2.11.0

Description
===========

Multiple vulnerabilities have been discovered in Pidgin. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker might send specially crafted data using the MXit
protocol, possibly resulting in the remote execution of arbitrary code
with the privileges of the process, a Denial of Service condition, or
in leaking confidential information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Pidgin users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.11.0"

References
==========

[  1 ] CVE-2016-1000030
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000030
[  2 ] CVE-2016-2365
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2365
[  3 ] CVE-2016-2366
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2366
[  4 ] CVE-2016-2367
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2367
[  5 ] CVE-2016-2368
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2368
[  6 ] CVE-2016-2369
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2369
[  7 ] CVE-2016-2370
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2370
[  8 ] CVE-2016-2371
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2371
[  9 ] CVE-2016-2372
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2372
[ 10 ] CVE-2016-2373
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2373
[ 11 ] CVE-2016-2374
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2374
[ 12 ] CVE-2016-2375
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2375
[ 13 ] CVE-2016-2376
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2376
[ 14 ] CVE-2016-2377
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2377
[ 15 ] CVE-2016-2378
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2378
[ 16 ] CVE-2016-2379
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2379
[ 17 ] CVE-2016-2380
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2380
[ 18 ] CVE-2016-4323
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4323

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201701-38

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站