Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Security Vulnerability in Pidgin-OTR (Please Upgrade)

Douglas Lucas dal at douglaslucas.com
Thu May 17 09:21:32 PDT 2012


Hi everyone,

Ubuntu apt-get update/upgrade showed me a new package for pidgin-otr, but
not the vulnerability bugfix 3.2.1 (From terminal: "Preparing to replace
pidgin-otr 3.2.0-5 (using .../pidgin-otr_3.2.0-5ubuntu0.11.10.1_amd64.deb)
...")

https://launchpad.net/ubuntu/+source/pidgin-otr/ now shows a pidgin-otr
3.2.1 upgrade for Quantal, but only 3.2.0-5 for Oneiric (uploaded 9 hours
ago). The newest version should be 3.2.1, right?

I tried to route around the PPAs by building from source using the info
from the link in Collin's email (below), but "gpg --verify
pidgin-otr-3.2.1.tar.gz.asc pidgin-otr-3.2.1.tar.gz" oddly gave me (and
someone else) "Can't check signature: public key not found"

Looks like there are problems here that aren't due to me, but I don't know
exactly know what I'm doing, either. Sorry! Halp?

:-Douglas



On Wed, May 16, 2012 at 6:06 PM, Collin Anderson
<collin at averysmallbird.com>wrote:

> Libtech,
>
> Please be aware of the announcement of a remotely exploitable
> vulnerability for the package 'pidgin-otr' -- the popular plugin that
> allows users of the Pidgin instant messaging client to conduct
> conversations off-the-record. This is pretty important as the software has
> been recommended by many of the organizations doing security trainings.
> Anyone using this software should upgrade immediately, and pass this
> information to colleagues.
>
> Cordially,
> Collin
>
> Source:
> http://lists.cypherpunks.ca/pipermail/otr-announce/2012-May/000026.html
>
> -------
>
> [OTR-announce] Format string security flaw in pidgin-otr: UPGRADE TO
> 3.2.1!
>
>  Ian Goldberg ian at cypherpunks.ca
> Wed May 16 08:09:10 EDT 2012
> Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Off-the-Record Messaging (OTR) Security Advisory 2012-01
>
> Format string security flaw in pidgin-otr
>
> Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
> string security flaw.  This flaw could potentially be exploited by
> a remote attacker to cause arbitrary code to be executed on the user's
> machine.
>
> The flaw is in pidgin-otr, not in libotr.  Other applications which use
> libotr are not affected.
>
> CVE-2012-2369 has been assigned to this issue.
>
> The recommended course of action is to upgrade pidgin-otr to version
> 3.2.1 immediately.  The new version can be obtained here:
>
> Windows installer:
>     http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe
> gpg signature:
>     http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe.asc
>
> Windows zip file:
>     http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip
> gpg signature:
>     http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip.asc
>
> Source code:
>     http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz
> gpg signature:
>     http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz.asc
>
> git repository:
>     git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev)
>
> Version 4.0.0 (soon to be released) does not suffer from this flaw.
>
> Linux and *BSD vendors and package maintainers have been notified, and
> updated packages should be available from them.
>
> If upgrading to version 3.2.1 is not possible, please apply the
> following patch to 3.2.0:
>
>
> --- a/otr-plugin.c
> +++ b/otr-plugin.c
> @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext
> *conte
>
>  static void log_message_cb(void *opdata, const char *message)
>  {
> -    purple_debug_info("otr", message);
> +    purple_debug_info("otr", "%s", message);
>  }
>
>  static int max_message_size_cb(void *opdata, ConnContext *context)
>
>
>
> Our heartfelt thanks to intrigeri <intrigeri at boum.org> for finding and
> alerting us to this flaw.
>
> Followups to the otr-users mailing list <otr-users at lists.cypherpunks.ca
> >,
> please.
>
> Your OTR development team,
>     Ian Goldberg <iang at cs.uwaterloo.ca>
>     Rob Smits <rdfsmits at cs.uwaterloo.ca>
>
> --
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120517/78bb39a7/attachment.html>


More information about the liberationtech mailing list