CVE-2009-1376

Description

Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927.

How to fix CVE-2009-1376

To remediate CVE-2009-1376, upgrade the affected package to a fixed version below.

• Debian/pidgin—upgrade to 2.5.6-1 or later

Is CVE-2009-1376 being exploited?

Moderate — EPSS is 25.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 2.5.6-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-1376