Security impact of CVE 2017-2640

Gary Kramlich grim at
Fri Mar 31 10:39:12 EDT 2017


On Thu, Mar 30, 2017 at 2:53 AM, Dhiru Kholia <dkholia at> wrote:
> Hi,
> I work in Red Hat's Product Security Team and I am trying to understand
> the security impact of CVE 2017-2640 (Out-of-bounds write when stripping
> XML,
> The CVE description says that an out-of-bounds write when invalid XML is
> sent by a malicious server. What does this out-of-bounds write result
> in? Does it cause Pidgin to crash? Does it cause memory (heap / stack)
> corruption? If yes, can the memory corruption lead to code execution?

I'm not exactly sure on the details dx and Eion were the ones that did
the testing and have more information than myself.

> Currently, Red Hat and SUSE are treating this is a code execution
> vulnerability. This can be confirmed from the CVSS score assigned to
> this vulnerability.


> It would be great if I could get answers to these questions. It would
> help me assessing the true security impact of this CVE.

Indeed.  I spoke with dx this morning and he's trying to get some more
testing done to help answer these questions.

> Thanks,
> Dhiru


Gary Kramlich <grim at>

More information about the security mailing list