| Summary: | pidgin-otr new security issue CVE-2012-2369 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, oliver.bgr, shlomif, sysadmin-bugs, tmb, wassi |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/497775/ | ||
| Whiteboard: | MGA1TOO, mga1-32-OK, mga2-32-OK, MGA2-64-OK, mga1-64-OK | ||
| Source RPM: | pidgin-otr-3.2.0-3.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 2317 | ||
| Bug Blocks: | |||
|
Description
David Walser
2012-05-21 14:27:01 CEST
David Walser
2012-05-21 14:27:33 CEST
CC:
(none) =>
oliver.bgr This is fixed in Cauldron. Updates for Mageia 1 and Mageia 2 are still needed. Version:
1 =>
2 Fixed for 1 and 2. @David: I only saw this by chance, please assign to maintainer next time. Advisory libotr: --- This update only removes the la file from the devel package, because pidgin-otr won't build with it --- Advisory pidgin-otr: --- This update fixes a possible security flaw (CVE--2012-2369) --- Assignee:
bugsquad =>
qa-bugs (In reply to comment #2) > Fixed for 1 and 2. Thanks Oliver. > @David: I only saw this by chance, please assign to maintainer next time. Aren't you the maintainer? Here's a suggested advisory, to give a little more information. Suggested Advisory: ======================== Updated pidgin-otr package fixes security vulnerability: Format string vulnerability in the log_message_cb function in otr-plugin.c in the Off-the-Record Messaging (OTR) pidgin-otr plugin before 3.2.1 for Pidgin might allow remote attackers to execute arbitrary code via format string specifiers in data that generates a log message (CVE-2012-2369). libotr has also been updated to remove the .la file from the -devel package, so that pidgin-otr will build correctly. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369 http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html ======================== Updated packages in core/updates_testing: ======================== libotr2-3.2.0-5.1.mga1 libotr-devel-3.2.0-5.1.mga1 libotr-utils-3.2.0-5.1.mga1 libotr2-3.2.0-5.1.mga2 libotr-devel-3.2.0-5.1.mga2 libotr-utils-3.2.0-5.1.mga2 pidgin-otr-3.2.0-3.1.mga1 pidgin-otr-3.2.0-3.1.mga2 from SRPMS: libotr-3.2.0-5.1.mga1.src.rpm libotr-3.2.0-5.1.mga2.src.rpm pidgin-otr-3.2.0-3.1.mga1.src.rpm pidgin-otr-3.2.0-3.1.mga2.src.rpm Testing complete on i586. For testing I used pidgin on Mageia 2 and pidgin in a Mageia 1 VB guest, both using hotmail accounts, although separate accounts. After enabling the otr plugin, and configuring it to generate a key for each account, I was able to initiate private chatting. I did notice that generating the key can take a very long time. Running it under strace showed it was reading from /dev/random, instead of /dev/urandom. While that can be rather annoying, I don't consider it to be a real bug, just an annoyance. CC:
(none) =>
davidwhodgins Seems to work fine(In reply to comment #5) > Testing complete on i586. > Testing complete on Mageia 2 x86-64 . I was able to initiate a conversation between two of my accounts - both on @gmail.com and it worked fine. The plugin appears to work fine. Regards, -- Shlomi Fish > For testing I used pidgin on Mageia 2 and pidgin in a Mageia 1 VB guest, > both using hotmail accounts, although separate accounts. > > After enabling the otr plugin, and configuring it to generate a key for > each account, I was able to initiate private chatting. > > I did notice that generating the key can take a very long time. Running > it under strace showed it was reading from /dev/random, instead of > /dev/urandom. While that can be rather annoying, I don't consider it > to be a real bug, just an annoyance. CC:
(none) =>
shlomif
user7
2012-07-02 21:41:35 CEST
CC:
(none) =>
wassi OK, now also tested it in a 64-bit Mageia 1 VM. Seems fine. I talked to it from a Pidgin on my x86-64 Cauldron host. Whiteboard:
MGA1TOO, mga1-32-OK, mga2-32-OK, MGA2-64-OK =>
MGA1TOO, mga1-32-OK, mga2-32-OK, MGA2-64-OK, mga1-64-OK This is ready for validating Shlomi, thanks for testing, would you like to do the honours? Advisory: ========= Updated pidgin-otr package fixes security vulnerability: Format string vulnerability in the log_message_cb function in otr-plugin.c in the Off-the-Record Messaging (OTR) pidgin-otr plugin before 3.2.1 for Pidgin might allow remote attackers to execute arbitrary code via format string specifiers in data that generates a log message (CVE-2012-2369). libotr has also been updated to remove the .la file from the -devel package, so that pidgin-otr will build correctly. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369 http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html ======================== Updated packages in core/updates_testing: ======================== libotr2-3.2.0-5.1.mga1 libotr-devel-3.2.0-5.1.mga1 libotr-utils-3.2.0-5.1.mga1 libotr2-3.2.0-5.1.mga2 libotr-devel-3.2.0-5.1.mga2 libotr-utils-3.2.0-5.1.mga2 pidgin-otr-3.2.0-3.1.mga1 pidgin-otr-3.2.0-3.1.mga2 from SRPMS: libotr-3.2.0-5.1.mga1.src.rpm libotr-3.2.0-5.1.mga2.src.rpm pidgin-otr-3.2.0-3.1.mga1.src.rpm pidgin-otr-3.2.0-3.1.mga2.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thank you! ------------------------------------------------ Keywords:
(none) =>
validated_update This one also seems affected by bug 2317. Adding a depends. $ ./depcheck pidgin-otr "Core Release" "Core Updates Testing" ---------------------------------------- Running checks for "pidgin-otr" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 2 (Official) for x86_64 Latest version found in "Core Release" is pidgin-otr-3.2.0-3.mga1 Latest version found in "Core Updates Testing" is pidgin-otr-3.2.0-3.1.mga2 ---------------------------------------- The following packages will require linking: apper-0.7.1-1.mga2 (Core 32bit Release) apper-0.7.1-1.mga2 (Core Release) gnome-packagekit-common-3.4.0-1.mga2 (Core 32bit Release) gnome-packagekit-common-3.4.0-1.mga2 (Core Release) pinentry-gtk2-0.8.1-3.mga2 (Core 32bit Release) pinentry-gtk2-0.8.1-3.mga2 (Core Release) pinentry-qt4-0.8.1-3.mga2 (Core 32bit Release) pinentry-qt4-0.8.1-3.mga2 (Core Release) polkit-gnome-0.105-1.mga2 (Core 32bit Release) polkit-gnome-0.105-1.mga2 (Core Release) polkit-kde-agent-1-0.99.0-2.mga1 (Core 32bit Release) polkit-kde-agent-1-0.99.0-2.mga1 (Core Release) ---------------------------------------- Done. libotr doesn't seem affected. Depends on:
(none) =>
2317 $ ./depcheck pidgin-otr "Core Release" "Core Updates Testing" ---------------------------------------- Running checks for "pidgin-otr" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 1 (Official) for x86_64 Latest version found in "Core Release" is pidgin-otr-3.2.0-3.mga1 Latest version found in "Core Updates Testing" is pidgin-otr-3.2.0-3.1.mga1 ---------------------------------------- The following packages will require linking: gnome-packagekit-common-2.32.0-3.mga1 (Core 32bit Release) gnome-packagekit-common-2.32.0-3.mga1 (Core Release) kpackagekit-common-0.6.3.3-2.mga1 (Core 32bit Release) kpackagekit-common-0.6.3.3-2.mga1 (Core Release) notification-daemon-0.5.0-2.mga1 (Core 32bit Release) notification-daemon-0.5.0-2.mga1 (Core Release) xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release) xfce4-notifyd-0.2.1-3.mga1 (Core Release) ---------------------------------------- Done. Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0140 Status:
NEW =>
RESOLVED |