Talos Vulnerability Report


Pidgin libpurple STUN Response Length NULL Write Vulnerability

May 11, 2015
CVE Number


A exploitable NULL write vulnerability exists in Pidgin's implementation of the STUN protocol in the libpurple library. An attacker who can control the response to a STUN protocol packet can cause a network receive operation to retun an undersized value, resulting in an out-of-bounds write of a NULL value.

Tested Versions

Pidgin 2.10.7

Product URLs



An off by one exists in libpurple/stun.c at line 182 in the function reply_cb():

len = recv(source, buffer, sizeof(buffer) - 1, 0);
if (!len) {
    purple_debug_warning("stun", "unable to read stun response\n");
buffer[len] = '\0';

If the attacker causes a network error during the STUN message reply, the recv function call will return -1. The check at line 178 will be bypassed and the negative index will be used on line 182, resulting in an out of bounds write of NULL.


Yves Younan of Sourcefire VRT