Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 May 2012 07:26:50 -0400
From: Ian Goldberg <iang@...uwaterloo.ca>
To: oss-security@...ts.openwall.com
Cc: Doug Barton <dougb@...eBSD.org>, steven@...nbsd.org,
	deraadt@...nbsd.org, gdt@...bsd.org,
	intrigeri <intrigeri@...ian.org>, paul@...herpunks.ca,
	Thibaut VARENE <varenet@...ian.org>,
	Rob Smits <rdfsmits@...uwaterloo.ca>
Subject: Format string security flaw in pidgin-otr

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Off-the-Record Messaging (OTR) Security Advisory 2012-01

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw.  This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's
machine.

The flaw is in pidgin-otr, not in libotr.  Other applications which use
libotr are not affected.

CVE-2012-2369 has been assigned to this issue.

The recommended course of action is to upgrade pidgin-otr to version
3.2.1 immediately.  The new version can be obtained here:

Windows installer:
    http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe
gpg signature:
    http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe.asc

Windows zip file:
    http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip
gpg signature:
    http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip.asc

Source code:
    http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz
gpg signature:
    http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz.asc

git repository:
    git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev)

Version 4.0.0 (soon to be released) does not suffer from this flaw.

Linux and *BSD vendors and package maintainers have been notified, and
updated packages should be available from them.

If upgrading to version 3.2.1 is not possible, please apply the
following patch to 3.2.0:


- --- a/otr-plugin.c
+++ b/otr-plugin.c
@@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte
 
 static void log_message_cb(void *opdata, const char *message)
 {
- -    purple_debug_info("otr", message);
+    purple_debug_info("otr", "%s", message);
 }
 
 static int max_message_size_cb(void *opdata, ConnContext *context)



Our heartfelt thanks to intrigeri <intrigeri@...m.org> for finding and
alerting us to this flaw.

Followups to the otr-users mailing list <otr-users@...ts.cypherpunks.ca>,
please.

Your OTR development team,
    Ian Goldberg <iang@...uwaterloo.ca>
    Rob Smits <rdfsmits@...uwaterloo.ca>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFPsVyO3tZOuyuofFwRAiQYAJ0W3h+HC4b0bSYM/3FbDtzh/VwC1ACeLOFw
dct2xKgjvPupH6aKZ5jdJEo=
=iofn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.