Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Security Vulnerability in Pidgin-OTR (Please Upgrade)

Collin Anderson collin at
Wed May 16 16:06:54 PDT 2012


Please be aware of the announcement of a remotely exploitable vulnerability
for the package 'pidgin-otr' -- the popular plugin that allows users of the
Pidgin instant messaging client to conduct conversations off-the-record.
This is pretty important as the software has been recommended by many of
the organizations doing security trainings. Anyone using this software
should upgrade immediately, and pass this information to colleagues.




[OTR-announce] Format string security flaw in pidgin-otr: UPGRADE TO 3.2.1!

Ian Goldberg ian at
Wed May 16 08:09:10 EDT 2012
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Off-the-Record Messaging (OTR) Security Advisory 2012-01

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw.  This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's

The flaw is in pidgin-otr, not in libotr.  Other applications which use
libotr are not affected.

CVE-2012-2369 has been assigned to this issue.

The recommended course of action is to upgrade pidgin-otr to version
3.2.1 immediately.  The new version can be obtained here:

Windows installer:
gpg signature:

Windows zip file:
gpg signature:

Source code:
gpg signature:

git repository:
    git:// (branch 3.2_dev)

Version 4.0.0 (soon to be released) does not suffer from this flaw.

Linux and *BSD vendors and package maintainers have been notified, and
updated packages should be available from them.

If upgrading to version 3.2.1 is not possible, please apply the
following patch to 3.2.0:

--- a/otr-plugin.c
+++ b/otr-plugin.c
@@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext

 static void log_message_cb(void *opdata, const char *message)
-    purple_debug_info("otr", message);
+    purple_debug_info("otr", "%s", message);

 static int max_message_size_cb(void *opdata, ConnContext *context)

Our heartfelt thanks to intrigeri <intrigeri at> for finding and
alerting us to this flaw.

Followups to the otr-users mailing list <otr-users at>,

Your OTR development team,
    Ian Goldberg <iang at>
    Rob Smits <rdfsmits at>

*Collin David Anderson* | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list