Pidgin MXIT Extended Profiles Code Execution Vulnerability(CVE-2016-2371)

### DESCRIPTION An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution. ### CVSSv3 SCORE 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### TESTED VERSIONS Pidgin 2.10.11 ### PRODUCT URLs https://www.pidgin.im/ ### DETAILS The function mxitparsecmd_extprofile() is called when extended profile packets are received from the server. At line 1837 it will read the number of attributes that were sent by the server into the variable count. 1837 count = atoi( records[0]->fields[1]->data ); This value is subsequently used as the bounds for a loop at line 1839 and used to calculate the index into an array at line 1843 and that value is subsequently used to access values in the array at lines 1845-1847. ``` 1839 for ( i = 0; i < count; i++ ) { char* fname; char* fvalue; char* fstatus; 1843 int f = ( i * 3 ) + 2; fname = records[0]->fields[f]->data; /* field name */ fvalue = records[0]->fields[f + 1]->data; /* field value */ 1847 fstatus = records[0]->fields[f + 2]->data; /* field status */ ``` The index is also used to write to an array at lines 1859-1860 potentially causing an out-of-bounds write. ``` 1859 fvalue[10] = '\0'; records[0]->fields[f + 1]->len = 10; ``` ### TIMELINE * 2016-04-13 - Vendor Notification * 2016-06-21 - Public Disclosure