openSUSE has issued an advisory on December 29: https://lists.opensuse.org/opensuse-updates/2016-12/msg00157.html The issue is fixed upstream in 1.0.2. The upstream commit to fix the issue is linked from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1016942 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Fixed in cauldron with latest stable 1.0.2 and pushed patched version to core/updates_testing for mga5. Mga5 was shipping git version of 1.0.0 so I also updated it to 1.0.0 final.
Assignee: fundawang => qa-bugsCC: (none) => jani.valimaa
Assigning back to Jani. The issue is fixed in 1.0.2, not 1.0.0.
Whiteboard: MGA5TOO => (none)CC: (none) => qa-bugsVersion: Cauldron => 5Assignee: qa-bugs => jani.valimaa
> and pushed patched version to core/updates_testing for mga5. Mga5 was shipping git version of 1.0.0 so I also updated it to 1.0.0 final. I believe this means that Mageia 5 has a patched version of 1.0.0 final which incorporates the fixes from 1.0.2.
(In reply to Rémi Verschelde from comment #3) > > and pushed patched version to core/updates_testing for mga5. Mga5 was shipping git version of 1.0.0 so I also updated it to 1.0.0 final. > > I believe this means that Mageia 5 has a patched version of 1.0.0 final > which incorporates the fixes from 1.0.2. That's what he made it sound like, but I checked the commit and it's not patched.
http://svnweb.mageia.org/packages/updates/5/irssi-otr/current/SPECS/irssi-otr.spec?view=log&pathrev=1083240 http://svnweb.mageia.org/packages/updates/5/irssi-otr/current/SPECS/irssi-otr.spec?r1=832244&r2=1083239&pathrev=1083240 http://svnweb.mageia.org/packages/updates/5/irssi-otr/current/SPECS/irssi-otr.spec?r1=1083239&r2=1083240&pathrev=1083240
The patch [0] is there and applied, so to me it looks good for QA. [0] http://svnweb.mageia.org/packages/updates/5/irssi-otr/current/SOURCES/0001-Remove-linebreaks-from-libotr-messages-to-avoid-send.patch?view=markup&pathrev=1083239
Assignee: jani.valimaa => qa-bugs
Advisory: ======================== Updated irssi-otr packages fix security vulnerability: It was discovered that irssi-otr had a flaw in handing data returned by libotr. After the initiation of the OTR session only the first line was sent as a PRIVMSG, while additional data would be sent as raw commands to the IRC server. The additional data would ordinarily be a human-readable HTML-formatted instruction message from libotr, a fixed string. However this is a minor security concern and the remediation avoids further security issues. References: https://lists.opensuse.org/opensuse-updates/2016-12/msg00157.html ======================== Updated packages in core/updates_testing: ======================== irssi-otr-1.0.0-1.mga5 from irssi-otr-1.0.0-1.mga5.src.rpm
CC: qa-bugs => (none)
x86_64 real hardware "Off the record" messaging encryption for IRC. Before updating OTR failed to load in irssi. Quoting CyberGuerilla: Once you have irssi-otr installed you need to load the module in irssi. This is accomplished by running a â/load otrâ in the irssi interface. The first time you load OTR you need to create a OTR key. You do this by running the command â/otr genkey nick@irc.domain.xyzâ where ânickâ is your IRC nickname and âirc.domain.xyzâ is the IRC serverâs fully qualified domain name. You confirm the creation of the key by looking in ~/irssi/otr/otr.key. After this, you simply need to write something in the chat room, wait 10 seconds and your communications should become secure. The README covers these commands and others. It is highly recommended you read this document and understand it before deploying irssi-otr. Created .irssi/startup and placed this command in it: LOAD otr $ irssi (freenode) 08:06 -!- Irssi: Error loading module otr/otr: /usr/lib64/irssi/modules/libotr.so: undefined symbol: perl_signal_register Removed startup and tried this: $ irssi 08:15 -!- Irssi: Join to #mageia-qa was synced in 7 secs [08:15] [tarazed(+Zi)] [1:freenode/NickServ] /LOAD otr 08:16 -!- Irssi: Error loading module otr/otr: /usr/lib64/irssi/modules/libotr.so: undefined symbol: perl_signal_register $ cd /usr/lib64/irssi/modules $ ls -l total 388 -rwxr-xr-x 1 root root 938 Jan 8 18:02 libfe_perl.la -rwxr-xr-x 1 root root 16392 Jan 8 18:02 libfe_perl.so -rwxr-xr-x 1 root root 952 Jan 8 18:02 libirc_proxy.la -rwxr-xr-x 1 root root 32456 Jan 8 18:02 libirc_proxy.so -rw-r--r-- 1 root root 232446 Sep 20 2014 libotr.so -rwxr-xr-x 1 root root 1073 Jan 8 18:02 libperl_core.la -rwxr-xr-x 1 root root 96832 Jan 8 18:02 libperl_core.so Note that libotr.so lacks executable permissions but adding them made no difference. Need some guidance here.
CC: (none) => tarazed25
Keywords: (none) => NEEDHELP
Whiteboard: (none) => feedback
You need to install irssi-perl and load it before otr in irssi. I've pushed new irssi-otr to core/updates_testings which also requires irssi-perl.
Advisory: ======================== Updated irssi-otr packages fix security vulnerability: It was discovered that irssi-otr had a flaw in handing data returned by libotr. After the initiation of the OTR session only the first line was sent as a PRIVMSG, while additional data would be sent as raw commands to the IRC server. The additional data would ordinarily be a human-readable HTML-formatted instruction message from libotr, a fixed string. However this is a minor security concern and the remediation avoids further security issues. References: https://lists.opensuse.org/opensuse-updates/2016-12/msg00157.html ======================== Updated packages in core/updates_testing: ======================== irssi-otr-1.0.0-1.1.mga5 from irssi-otr-1.0.0-1.1.mga5.src.rpm
Keywords: NEEDHELP => (none)Whiteboard: feedback => (none)
Thanks Jani. Installed irssi-perl and latest irssi-otr. $ sudo urpmi irssi-perl Package irssi-perl-0.8.21-1.mga5.x86_64 is already installed $ irssi ......................... /load perl /load otr 22:28 -!- Irssi: Loaded module perl/core 22:28 -!- Irssi: Loaded module perl/fe 22:28 -!- Irssi: Join to #mageia-qa was synced in 8 secs 22:29 -!- Irssi: Module perl/perl already loaded 22:29 -!- Irssi: otr/otr is ABI version 0 but Irssi is version 2, cannot load $ urpmq -f irssi irssi-0.8.16-4.mga5.x86_64|irssi-0.8.20-1.mga5.x86_64|irssi-0.8.21-1.mga5.x86_64 $ irssi --version irssi 0.8.21 (20170103 1424)
Pushed irssi-otr-1.0.0-1.2.mga5 to core/updates testing which fixes the ABI mismatch error.
Thanks again Jani. Shall try the instructions at CyberGuerilla but am on shaky ground here. Installed the latest version and it worked. 09:36 -!- Irssi: Join to #mageia-qa was synced in 7 secs /load perl 09:37 -!- Irssi: Loaded module perl/core 09:37 -!- Irssi: Loaded module perl/fe /load otr 09:37 -!- Irssi: Loaded module otr/core /otr genkey tarazed@chat.freenode.net 09:55 OTR: Key generation started for tarazed@chat.freenode.net Initially .irssi/otr contained "LOAD otr" but the site quoted gives the impression that otr should be a directory in which otr.key would be stored. Nothing is happening in the .irssi directory. I suspect that I wrote that file as a memorandum. Anyway I deleted it and created the otr directory. Probably too late. Nope. It worked when the command was reissued. otr.key appeared in the form of a structured text file.
Wrote a line in the mageia chatroom then /otr finish OTR: Failed: Can't get nick and server of current query window. (Or maybe you're doing this in the status window?) Conversation continued OK though. Tried again with /otr finish tarazed@chat.freenode.net Same error message. /part /otr finish OTR: Nothing to do
Encryption only works in query between two nicks, not in public #channel.
Seems that irssi-otr 1.0.0 causes a segfault in irssi when used. It doesn't happen when using 1.0.2 so I'll update irssi-otr to 1.0.2 also in mga5.
Pushed irssi-otr-1.0.2-1.mga5 to core/updates_testing.
(In reply to Jani Välimaa from comment #17) > Pushed irssi-otr-1.0.2-1.mga5 to core/updates_testing. Confirmed that it works in mga5 x86_64. Checked also with wireshark that it really encrypts messages in query between two nicks.
OK, thanks for your quick responses Jani. Nothing for me to do then except rubber-stamp the update.
The latest update seems to be OK with key generation. Giving this the OK.
Whiteboard: (none) => MGA5-64-OK
Uploaded Advsiory ex comments 10 & 17.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Unless anybody objects I shall validate this for one architecture.
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0043.html
Status: NEW => RESOLVEDResolution: (none) => FIXED