| Summary: | libotr new security issue CVE-2012-3461 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, oliver.bgr, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/511058/ | ||
| Whiteboard: | MGA2-32-OK MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | libotr-3.2.0-5.1.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-08-13 16:49:44 CEST
David Walser
2012-08-13 16:50:10 CEST
CC:
(none) =>
oliver.bgr
David Walser
2012-08-13 16:50:17 CEST
Assignee:
bugsquad =>
oliver.bgr Fixed for 1, 2 and Cauldron. For 1 and 2 SRPM in question: libotr-3.2.0-5.2.mgaX.src.rpm RPMs in question: lib64otr2 libotr-debug lib64otr-devel libotr-utils --- Advisory --- This update fixes a security problem in libotr reported by Debian, Fedora and Mandriva http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121 https://bugzilla.redhat.com/show_bug.cgi?id=846377 ---------------- Assignee:
oliver.bgr =>
qa-bugs Thanks Oliver! BTW, you could update libotr and pidgin-otr to 3.2.1 in Cauldron, as IIRC from the security bug discussions, they are the same as 3.2.0+security patch. Fleshing out the advisory a bit... Advisory: ======================== Updated libotr packages fix security vulnerability: Just Ferguson discovered that libotr, an off-the-record (OTR) messaging library, can be forced to perform zero-length allocations for heap buffers that are used in base64 decoding routines. An attacker can exploit this flaw by sending crafted messages to an application that is using libotr to perform denial of service attacks or potentially execute arbitrary code (CVE-2012-3461). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 ======================== Updated packages in core/updates_testing: ======================== libotr2-3.2.0-5.2.mga1 libotr-devel-3.2.0-5.2.mga1 libotr-utils-3.2.0-5.2.mga1 libotr2-3.2.0-5.2.mga2 libotr-devel-3.2.0-5.2.mga2 libotr-utils-3.2.0-5.2.mga2 from SRPMS: libotr-3.2.0-5.2.mga1.src.rpm libotr-3.2.0-5.2.mga2.src.rpm Version:
Cauldron =>
2 pidgin-otr is already 3.2.1, libotr is still 3.2.0. Upstream did fix it in their cvs but they did not release a new tar ball. (In reply to comment #3) > pidgin-otr is already 3.2.1, libotr is still 3.2.0. > Upstream did fix it in their cvs but they did not release a new tar ball. It may not have been announced, but the tarball does exist. http://www.cypherpunks.ca/otr/libotr-3.2.1.tar.gz Debian also has it packaged already. http://packages.debian.org/search?keywords=libotr I only looked at the website, thx. New version submitted for Cauldron.
David Walser
2012-08-15 17:50:51 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/511058/ I can't really give a testing procedure. But my pidgin works with the new libotr, any idea how else to test it but using an app, that's working with it? Tested on Mga2 x86_64. (In reply to comment #6) > I can't really give a testing procedure. > > But my pidgin works with the new libotr, any idea how else to test it but using > an app, that's working with it? > > Tested on Mga2 x86_64. If strace shows that pidgin actually uses the lib, this is usually sufficient testing. There's also libotr-utils that can be useful to test some basic functions of the lib. CC:
(none) =>
stormi For the record, here is how Dave Hodgins tested the previous pigdin-otr + libotr update: https://bugs.mageia.org/show_bug.cgi?id=6007#c5 I'll be testing this shortly. CC:
(none) =>
davidwhodgins Testing complete using my regular account on a Mageia 2 x86-64 host with VB guests for Mageia 2 i586, Mageia 1 i586 and x86-64 using an account setup just for qa testing. Could someone from the sysadmin team push the srpm libotr-3.2.0-5.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm libotr-3.2.0-5.2.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated libotr packages fix security vulnerability: Just Ferguson discovered that libotr, an off-the-record (OTR) messaging library, can be forced to perform zero-length allocations for heap buffers that are used in base64 decoding routines. An attacker can exploit this flaw by sending crafted messages to an application that is using libotr to perform denial of service attacks or potentially execute arbitrary code (CVE-2012-3461). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 https://bugs.mageia.org/show_bug.cgi?id=7043 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0223 Status:
NEW =>
RESOLVED |