Arch Linux: ASA-201703-18 High Severity: Libpurple Code Execution Risk

Arch Linux Security Advisory ASA-201703-18
=========================================
Severity: High
Date    : 2017-03-21
CVE-ID  : CVE-2017-2640
Package : libpurple
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-226

Summary
======
The package libpurple before version 2.12.0-1 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 2.12.0-1.

# pacman -Syu "libpurple>=2.12.0-1"

The problem has been fixed upstream in version 2.12.0.

Workaround
=========
None.

Description
==========
An out-of-bounds write has been found in libpurple < 2.12.0 in the
purple_markup_unescape_entity function. This issue can be triggered by
a malicious server sending invalid XML entities separated by
whitespace, eg "ஸ" to the client.

Impact
=====
A remote attacker is able to execute arbitrary code on the affected
host if it connects to a malicious server.

References
=========
https://seclists.org/fulldisclosure/2017/Mar/57
https://security.archlinux.org/CVE-2017-2640