Search Mailing List Archives
[liberationtech] Security Vulnerability in Pidgin-OTR (Please Upgrade)
dal at douglaslucas.com
Thu May 17 09:21:32 PDT 2012
Ubuntu apt-get update/upgrade showed me a new package for pidgin-otr, but
not the vulnerability bugfix 3.2.1 (From terminal: "Preparing to replace
pidgin-otr 3.2.0-5 (using .../pidgin-otr_3.2.0-5ubuntu0.11.10.1_amd64.deb)
https://launchpad.net/ubuntu/+source/pidgin-otr/ now shows a pidgin-otr
3.2.1 upgrade for Quantal, but only 3.2.0-5 for Oneiric (uploaded 9 hours
ago). The newest version should be 3.2.1, right?
I tried to route around the PPAs by building from source using the info
from the link in Collin's email (below), but "gpg --verify
pidgin-otr-3.2.1.tar.gz.asc pidgin-otr-3.2.1.tar.gz" oddly gave me (and
someone else) "Can't check signature: public key not found"
Looks like there are problems here that aren't due to me, but I don't know
exactly know what I'm doing, either. Sorry! Halp?
On Wed, May 16, 2012 at 6:06 PM, Collin Anderson
<collin at averysmallbird.com>wrote:
> Please be aware of the announcement of a remotely exploitable
> vulnerability for the package 'pidgin-otr' -- the popular plugin that
> allows users of the Pidgin instant messaging client to conduct
> conversations off-the-record. This is pretty important as the software has
> been recommended by many of the organizations doing security trainings.
> Anyone using this software should upgrade immediately, and pass this
> information to colleagues.
> [OTR-announce] Format string security flaw in pidgin-otr: UPGRADE TO
> Ian Goldberg ian at cypherpunks.ca
> Wed May 16 08:09:10 EDT 2012
> Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Off-the-Record Messaging (OTR) Security Advisory 2012-01
> Format string security flaw in pidgin-otr
> Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
> string security flaw. This flaw could potentially be exploited by
> a remote attacker to cause arbitrary code to be executed on the user's
> The flaw is in pidgin-otr, not in libotr. Other applications which use
> libotr are not affected.
> CVE-2012-2369 has been assigned to this issue.
> The recommended course of action is to upgrade pidgin-otr to version
> 3.2.1 immediately. The new version can be obtained here:
> Windows installer:
> gpg signature:
> Windows zip file:
> gpg signature:
> Source code:
> gpg signature:
> git repository:
> git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev)
> Version 4.0.0 (soon to be released) does not suffer from this flaw.
> Linux and *BSD vendors and package maintainers have been notified, and
> updated packages should be available from them.
> If upgrading to version 3.2.1 is not possible, please apply the
> following patch to 3.2.0:
> --- a/otr-plugin.c
> +++ b/otr-plugin.c
> @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext
> static void log_message_cb(void *opdata, const char *message)
> - purple_debug_info("otr", message);
> + purple_debug_info("otr", "%s", message);
> static int max_message_size_cb(void *opdata, ConnContext *context)
> Our heartfelt thanks to intrigeri <intrigeri at boum.org> for finding and
> alerting us to this flaw.
> Followups to the otr-users mailing list <otr-users at lists.cypherpunks.ca
> Your OTR development team,
> Ian Goldberg <iang at cs.uwaterloo.ca>
> Rob Smits <rdfsmits at cs.uwaterloo.ca>
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> Should you need to change your subscription options, please go to:
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> Should you need immediate assistance, please contact the list moderator.
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech