Bug 17933

Summary: pidgin-otr new heap use-after-free security issue (CVE-2015-8833)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680031/
Whiteboard: MGA5-32-OK advisory
Source RPM: pidgin-otr-4.0.0-5.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 17927    
Bug Blocks:    

Description David Walser 2016-03-09 23:49:26 CET 
A security issue in pidgin-otr was reported today (March 9):
http://openwall.com/lists/oss-security/2016/03/09/8

The issue is fixed in version 4.0.2.

Updated packages uploaded for Mageia 5 and Cauldron.

This should be tested with the libotr update in Bug 17927.

Advisory:
========================

Updated pidgin-otr package fixes security vulnerability:

The pidgin-otr plugin before 4.0.2 is vulnerable to a heap use after free
error. The bug is triggered when a user tries to authenticate a buddy and
happens in the function create_smp_dialog.

References:
https://blog.fuzzing-project.org/39-Heap-use-after-free-in-Pidgin-OTR-plugin.html
http://openwall.com/lists/oss-security/2016/03/09/8
========================

Updated packages in core/updates_testing:
========================
pidgin-otr-4.0.2-1.mga5

from pidgin-otr-4.0.2-1.mga5.src.rpm
David Walser 2016-03-09 23:49:58 CET

Depends on: (none) => 17927

Comment 1 David Walser 2016-03-10 15:55:48 CET 
CVE-2015-8833 has been assigned:
http://openwall.com/lists/oss-security/2016/03/09/13

Advisory:
========================

Updated pidgin-otr package fixes security vulnerability:

The pidgin-otr plugin before 4.0.2 is vulnerable to a heap use after free
error. The bug is triggered when a user tries to authenticate a buddy and
happens in the function create_smp_dialog (CVE-2015-8833).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8833
https://blog.fuzzing-project.org/39-Heap-use-after-free-in-Pidgin-OTR-plugin.html
http://openwall.com/lists/oss-security/2016/03/09/13

Summary: pidgin-otr new heap use-after-free security issue => pidgin-otr new heap use-after-free security issue (CVE-2015-8833)

David Walser 2016-03-14 19:36:39 CET

URL: (none) => http://lwn.net/Vulnerabilities/680031/

Comment 2 Herman Viaene 2016-03-24 10:37:03 CET 
MGA5-32 on Acer D620 Xfce
No installation issues BUT
when running this configuration the first time at CLI I got:
$ pidgin 
Couldn't create plugins dir
Expected libotr API version 4.1.1 incompatible with actual version 4.0.0.  Aborting.
I had to install the libotr-4.1.1, it is present in our repos, so missed dependency???
After that I could do a conversation between this installation and a "normal" pidgin installation (where I made sure the standard pidgin-otr plugin was included) on a x86-64 MGA5

CC: (none) => herman.viaene

Herman Viaene 2016-03-24 21:49:35 CET

Whiteboard: (none) => MGA5-32-OK

Comment 3 claire robinson 2016-03-24 22:37:51 CET 
Validating. Advisory todo.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-03-25 06:15:46 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 4 Mageia Robot 2016-03-25 07:39:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0125.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED