Arch Linux Security Advisory ASA-201703-18 ========================================== Severity: High Date : 2017-03-21 CVE-ID : CVE-2017-2640 Package : libpurple Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-226 Summary ======= The package libpurple before version 2.12.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.12.0-1. # pacman -Syu "libpurple>=2.12.0-1" The problem has been fixed upstream in version 2.12.0. Workaround ========== None. Description =========== An out-of-bounds write has been found in libpurple < 2.12.0 in the purple_markup_unescape_entity function. This issue can be triggered by a malicious server sending invalid XML entities separated by whitespace, eg "ஸ" to the client. Impact ====== A remote attacker is able to execute arbitrary code on the affected host if it connects to a malicious server. References ========== http://seclists.org/fulldisclosure/2017/Mar/57 https://www.pidgin.im/news/security/?id=109 https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9 https://security.archlinux.org/CVE-2017-2640