These vulnerabilities were discovered by Yves Younan.

Pidgin is a universal chat client that is used on millions of systems worldwide. The Pidgin chat client enables you to communicate on multiple chat networks simultaneously. Talos has identified multiple vulnerabilities in the way Pidgin handles the MXit protocol. These vulnerabilities fall into the following four categories.

  • Information Leakage
  • Denial Of Service
  • Directory Traversal
  • Buffer Overflow

The following vulnerabilities were identified (listed numerically by CVE):

CVE-2016-2365 – Pidgin MXIT Markup Command Denial of Service Vulnerability
CVE-2016-2366 – Pidgin MXIT Table Command Denial of Service Vulnerability
CVE-2016-2367 – Pidgin MXIT Avatar Length Memory Disclosure Vulnerability
CVE-2016-2368 – Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerability
CVE-2016-2369 – Pidgin MXIT CP SOCK REC TERM Denial of Service Vulnerability
CVE-2016-2370 – Pidgin MXIT Custom Resource Denial of Service Vulnerability
CVE-2016-2371 – Pidgin MXIT Extended Profiles Code Execution Vulnerability
CVE-2016-2372 – Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability
CVE-2016-2373 – Pidgin MXIT Contact Mood Denial of Service Vulnerability
CVE-2016-2374 – Pidgin MXIT MultiMX Message Code Execution Vulnerability
CVE-2016-2375 – Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability
CVE-2016-2376 – Pidgin MXIT read stage Ox3 Code Execution Vulnerability
CVE-2016-2377 – Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability
CVE-2016-2378 – Pidgin MXIT get_utf8_string Code Execution Vulnerability
CVE-2016-2380 – Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability
CVE-2016-4323 – Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability



Talos Group

Talos Security Intelligence & Research Group