cve-2014-3696-00

Summary Remote crash parsing malformed Groupwise message
Date 2014-10-22
CVE Number CVE-2014-3696
Discovered By Yves Younan and Richard Johnson of Cisco Talos
Fixed In Release 2.10.10

Description

A malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in many places in the UI.

Mitigation

Impose a maximum length when reading various types of messages.

We've launched the new site. Think we're missing something?
Read the blog post or Go to the old site