CVE-2016-2380
An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.
3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Pidgin 2.10.11
https://www.pidgin.im/
When a message is sent by Pidgin to the server, it has to convert the markup from libpurple (HTML-based) markup to MXIT markup. To do this, the function mxit_convert_markup_tx defined in the file markup.c will be called. This function will copy the data from the old string message to the new string mx, converting it along the way.
However, at lines 1146-1154 it will convert the markup to change the font color without checking the length of the string that is remaining:
1146 else if ( purple_str_has_prefix( &message[i], "<font color=" ) ) {
/* font colour */
tag = g_new0( struct tag, 1 );
tag->type = MXIT_TAG_COLOR;
tagstack = g_list_append( tagstack, tag );
memset( color, 0x00, sizeof( color ) );
memcpy( color, &message[i + 13], 7 );
g_string_append( mx, color );
1154 }
It will compare if the string starts with <font color= at the current position in the message at line 1146. If it does it will copy 7 bytes from 1 element past the end of =, presumably to skip over the # tag. However, if <font color= is at the end of the string then this will result in an out-of-bounds read of message. Since one byte after the end of the = will be skipped over, the NULL termination string will be skipped over, allowing the 7 bytes of data behind the string to be copied to the mx, which is the string that will be sent to the server.
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure
Discovered by Yves Younan of Cisco Talos.