Bug 17927

Summary: libotr new security issue CVE-2016-2851
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/679616/
Whiteboard: MGA5-32-OK advisory
Source RPM: libotr-4.0.0-6.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 17933    

Description David Walser 2016-03-09 19:37:35 CET 
X41 D-Sec GmbH has issued an advisory today (March 9):
https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/

Updated packages uploaded for Mageia 5 and Cauldron.

libotr5 is used by pidgin-otr.

Advisory:
========================

Updated libotr packages fix security vulnerability:

A remote attacker may crash or execute arbitrary code in libotr before 4.1.1
by sending large OTR messages. While processing specially crafted messages,
attacker controlled data on the heap is written out of bounds (CVE-2016-2851).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2851
https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/
========================

Updated packages in core/updates_testing:
========================
libotr5-4.1.1-1.mga5
libotr-devel-4.1.1-1.mga5
libotr-utils-4.1.1-1.mga5

from libotr-4.1.1-1.mga5.src.rpm
Comment 1 David Walser 2016-03-09 23:49:58 CET 
This should be tested with the pidgin-otr update in Bug 17933.

Blocks: (none) => 17933

Comment 2 David Walser 2016-03-10 19:35:54 CET 
Debian has issued an advisory for this on March 9:
https://www.debian.org/security/2016/dsa-3512

URL: (none) => http://lwn.net/Vulnerabilities/679616/

Comment 3 Len Lawrence 2016-03-20 23:11:53 CET 
x86_64  Mate

Had already installed pidgin and the pidgin-otr update.
Installed the lib64otr packages from testing.

Tried out pidgin and managed to create an account and join #mageia-qa but things don't look right.  Registered as tarazed and gave a local alias of lcl (not knowing what that meant) and found myself listed as lcl rather than tarazed.  The log showed the message I always get in irssi: "tarazed is not a registered nickname" even though I have registered it a dozen times.  I lose patience with these systems.

More serious is the message in the terminal:
$ pidgin
Couldn't create plugins dir

So I have no idea if libotr is OK or not as far as normal running is concerned, as opposed to the security vulnerability.

CC: (none) => tarazed25

Comment 4 David Walser 2016-03-20 23:32:50 CET 
As far as I know, otr has nothing to do with IRC.  It's for encrypted communications between two Pidgin clients.
Comment 5 Len Lawrence 2016-03-21 00:36:06 CET 
So it is not being used a all when pidgin is used to access IRC.  As I have no idea about pidgin to pidgin communication I shall have to drop this one.  Any takers?
Comment 6 David Walser 2016-03-21 00:38:55 CET 
What's to have an idea about?  You get two people using Pidgin to enable the OTR plugin and talk to each other.
Comment 7 Len Lawrence 2016-03-21 08:10:36 CET 
Remember you are talking to a dunderheid here David.  ;)  And I don't know anybody else so I suppose it will have to be two nodes on the LAN.  Be back after I figure out how to use pidgin.  I may be gone some time.
Comment 8 Len Lawrence 2016-03-21 09:43:23 CET 
No, it cannot be used locally and I failed anyway to create an account for myself.  Definitely dropping this one.
Comment 9 David Walser 2016-03-21 09:53:22 CET 
I haven't used the OTR one, I had only used an older encryption plugin for Pidgin, but it worked with any protocol.  So, if you didn't want a dependence on any external services, you could set up a local Jabber server and use that :o)
Comment 10 Len Lawrence 2016-03-21 12:48:10 CET 
New ground again.  Looked at jabber and found djabberd and ejabberd.  Installed djabberd and set it running as a service.  Cannot find any intelligible information about using the service to talk between local nodes.  And how would the libotr plugin figure in all this.  I am baffled.  As I said, I am going to have to drop this one.  Simply don't have a clue about instant messaging.
Comment 11 David Walser 2016-03-21 13:21:13 CET 
Well, if you got a Jabber server working, you're almost there.  You can register an account on the Jabber server through the Pidgin client.  If you enable the Pidgin OTR plugin (in Plugins), it should either give you a way to encrypt when you're talking to someone else who has it, or do it automatically.  Either way it shouldn't be hard to figure out.
Comment 12 Herman Viaene 2016-03-24 21:49:24 CET 
MGA5-32 on Acer D620 Xfce
Tested in bug 17933

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 13 claire robinson 2016-03-24 22:37:12 CET 
Validating. Advisory todo.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-03-25 06:15:56 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 14 Mageia Robot 2016-03-25 07:39:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0117.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED