A security issue in pidgin-otr was reported today (March 9): http://openwall.com/lists/oss-security/2016/03/09/8 The issue is fixed in version 4.0.2. Updated packages uploaded for Mageia 5 and Cauldron. This should be tested with the libotr update in Bug 17927. Advisory: ======================== Updated pidgin-otr package fixes security vulnerability: The pidgin-otr plugin before 4.0.2 is vulnerable to a heap use after free error. The bug is triggered when a user tries to authenticate a buddy and happens in the function create_smp_dialog. References: https://blog.fuzzing-project.org/39-Heap-use-after-free-in-Pidgin-OTR-plugin.html http://openwall.com/lists/oss-security/2016/03/09/8 ======================== Updated packages in core/updates_testing: ======================== pidgin-otr-4.0.2-1.mga5 from pidgin-otr-4.0.2-1.mga5.src.rpm
Depends on: (none) => 17927
CVE-2015-8833 has been assigned: http://openwall.com/lists/oss-security/2016/03/09/13 Advisory: ======================== Updated pidgin-otr package fixes security vulnerability: The pidgin-otr plugin before 4.0.2 is vulnerable to a heap use after free error. The bug is triggered when a user tries to authenticate a buddy and happens in the function create_smp_dialog (CVE-2015-8833). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8833 https://blog.fuzzing-project.org/39-Heap-use-after-free-in-Pidgin-OTR-plugin.html http://openwall.com/lists/oss-security/2016/03/09/13
Summary: pidgin-otr new heap use-after-free security issue => pidgin-otr new heap use-after-free security issue (CVE-2015-8833)
URL: (none) => http://lwn.net/Vulnerabilities/680031/
MGA5-32 on Acer D620 Xfce No installation issues BUT when running this configuration the first time at CLI I got: $ pidgin Couldn't create plugins dir Expected libotr API version 4.1.1 incompatible with actual version 4.0.0. Aborting. I had to install the libotr-4.1.1, it is present in our repos, so missed dependency??? After that I could do a conversation between this installation and a "normal" pidgin installation (where I made sure the standard pidgin-otr plugin was included) on a x86-64 MGA5
CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK
Validating. Advisory todo.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0125.html
Status: NEW => RESOLVEDResolution: (none) => FIXED