Security impact of CVE 2017-2640
Dhiru Kholia
dkholia at redhat.com
Thu Mar 30 03:53:03 EDT 2017
Hi,
I work in Red Hat's Product Security Team and I am trying to understand
the security impact of CVE 2017-2640 (Out-of-bounds write when stripping
XML, https://pidgin.im/news/security/?id=109).
The CVE description says that an out-of-bounds write when invalid XML is
sent by a malicious server. What does this out-of-bounds write result
in? Does it cause Pidgin to crash? Does it cause memory (heap / stack)
corruption? If yes, can the memory corruption lead to code execution?
Currently, Red Hat and SUSE are treating this is a code execution
vulnerability. This can be confirmed from the CVSS score assigned to
this vulnerability.
It would be great if I could get answers to these questions. It would
help me assessing the true security impact of this CVE.
Thanks,
Dhiru
More information about the security
mailing list