Security impact of CVE 2017-2640

Dhiru Kholia dkholia at
Thu Mar 30 03:53:03 EDT 2017


I work in Red Hat's Product Security Team and I am trying to understand
the security impact of CVE 2017-2640 (Out-of-bounds write when stripping

The CVE description says that an out-of-bounds write when invalid XML is
sent by a malicious server. What does this out-of-bounds write result
in? Does it cause Pidgin to crash? Does it cause memory (heap / stack)
corruption? If yes, can the memory corruption lead to code execution?

Currently, Red Hat and SUSE are treating this is a code execution
vulnerability. This can be confirmed from the CVSS score assigned to
this vulnerability.

It would be great if I could get answers to these questions. It would
help me assessing the true security impact of this CVE.


More information about the security mailing list