Bug 6007 - pidgin-otr new security issue CVE-2012-2369
: pidgin-otr new security issue CVE-2012-2369
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/497775/
: MGA1TOO, mga1-32-OK, mga2-32-OK, MGA2...
: validated_update
: 2317
:
  Show dependency treegraph
 
Reported: 2012-05-21 14:27 CEST by David Walser
Modified: 2012-07-09 15:44 CEST (History)
6 users (show)

See Also:
Source RPM: pidgin-otr-3.2.0-3.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-05-21 14:27:01 CEST
Fedora has issued an advisory on May 18:
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html

The solution is to upgrade to 3.2.1 (only change is CVE fix).

Cauldron/Mageia 2 are also affected.
Comment 1 David Walser 2012-06-14 20:54:14 CEST
This is fixed in Cauldron.  Updates for Mageia 1 and Mageia 2 are still needed.
Comment 2 Oliver Burger 2012-06-15 11:42:17 CEST
Fixed for 1 and 2.

@David: I only saw this by chance, please assign to maintainer next time.


Advisory libotr:
---
This update only removes the la file from the devel package,
because pidgin-otr won't build with it
---

Advisory pidgin-otr:
---
This update fixes a possible security flaw (CVE--2012-2369)
---
Comment 3 David Walser 2012-06-15 14:59:46 CEST
(In reply to comment #2)
> Fixed for 1 and 2.

Thanks Oliver.

> @David: I only saw this by chance, please assign to maintainer next time.

Aren't you the maintainer?
Comment 4 David Walser 2012-06-15 15:10:44 CEST
Here's a suggested advisory, to give a little more information.

Suggested Advisory:
========================

Updated pidgin-otr package fixes security vulnerability:

Format string vulnerability in the log_message_cb function in
otr-plugin.c in the Off-the-Record Messaging (OTR) pidgin-otr plugin
before 3.2.1 for Pidgin might allow remote attackers to execute
arbitrary code via format string specifiers in data that generates
a log message (CVE-2012-2369).

libotr has also been updated to remove the .la file from the -devel
package, so that pidgin-otr will build correctly.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html
========================

Updated packages in core/updates_testing:
========================
libotr2-3.2.0-5.1.mga1
libotr-devel-3.2.0-5.1.mga1
libotr-utils-3.2.0-5.1.mga1
libotr2-3.2.0-5.1.mga2
libotr-devel-3.2.0-5.1.mga2
libotr-utils-3.2.0-5.1.mga2
pidgin-otr-3.2.0-3.1.mga1
pidgin-otr-3.2.0-3.1.mga2

from SRPMS:
libotr-3.2.0-5.1.mga1.src.rpm
libotr-3.2.0-5.1.mga2.src.rpm
pidgin-otr-3.2.0-3.1.mga1.src.rpm
pidgin-otr-3.2.0-3.1.mga2.src.rpm
Comment 5 Dave Hodgins 2012-07-02 01:33:11 CEST
Testing complete on i586.

For testing I used pidgin on Mageia 2 and pidgin in a Mageia 1 VB guest,
both using hotmail accounts, although separate accounts.

After enabling the otr plugin, and configuring it to generate a key for
each account, I was able to initiate private chatting.

I did notice that generating the key can take a very long time.  Running
it under strace showed it was reading from /dev/random, instead of
/dev/urandom.  While that can be rather annoying, I don't consider it
to be a real bug, just an annoyance.
Comment 6 Shlomi Fish 2012-07-02 21:38:34 CEST
Seems to work fine(In reply to comment #5)
> Testing complete on i586.
> 

Testing complete on Mageia 2 x86-64 .

I was able to initiate a conversation between two of my accounts - both on @gmail.com and it worked fine.

The plugin appears to work fine.

Regards,

-- Shlomi Fish

> For testing I used pidgin on Mageia 2 and pidgin in a Mageia 1 VB guest,
> both using hotmail accounts, although separate accounts.
> 
> After enabling the otr plugin, and configuring it to generate a key for
> each account, I was able to initiate private chatting.
> 
> I did notice that generating the key can take a very long time.  Running
> it under strace showed it was reading from /dev/random, instead of
> /dev/urandom.  While that can be rather annoying, I don't consider it
> to be a real bug, just an annoyance.
Comment 7 Shlomi Fish 2012-07-02 23:51:48 CEST
OK, now also tested it in a 64-bit Mageia 1 VM. Seems fine. I talked to it from a Pidgin on my x86-64 Cauldron host.
Comment 8 claire robinson 2012-07-03 11:21:25 CEST
This is ready for validating Shlomi, thanks for testing, would you like to do the honours?
Comment 9 Shlomi Fish 2012-07-03 12:16:31 CEST
Advisory:
=========

Updated pidgin-otr package fixes security vulnerability:

Format string vulnerability in the log_message_cb function in
otr-plugin.c in the Off-the-Record Messaging (OTR) pidgin-otr plugin
before 3.2.1 for Pidgin might allow remote attackers to execute
arbitrary code via format string specifiers in data that generates
a log message (CVE-2012-2369).

libotr has also been updated to remove the .la file from the -devel
package, so that pidgin-otr will build correctly.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html
========================

Updated packages in core/updates_testing:
========================
libotr2-3.2.0-5.1.mga1
libotr-devel-3.2.0-5.1.mga1
libotr-utils-3.2.0-5.1.mga1
libotr2-3.2.0-5.1.mga2
libotr-devel-3.2.0-5.1.mga2
libotr-utils-3.2.0-5.1.mga2
pidgin-otr-3.2.0-3.1.mga1
pidgin-otr-3.2.0-3.1.mga2

from SRPMS:
libotr-3.2.0-5.1.mga1.src.rpm
libotr-3.2.0-5.1.mga2.src.rpm
pidgin-otr-3.2.0-3.1.mga1.src.rpm
pidgin-otr-3.2.0-3.1.mga2.src.rpm


Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------------
Comment 10 claire robinson 2012-07-03 13:30:10 CEST
This one also seems affected by bug 2317. Adding a depends.

$ ./depcheck pidgin-otr "Core Release" "Core Updates Testing"
----------------------------------------
Running checks for "pidgin-otr" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is pidgin-otr-3.2.0-3.mga1
Latest version found in "Core Updates Testing" is pidgin-otr-3.2.0-3.1.mga2
----------------------------------------
The following packages will require linking:

apper-0.7.1-1.mga2 (Core 32bit Release)
apper-0.7.1-1.mga2 (Core Release)
gnome-packagekit-common-3.4.0-1.mga2 (Core 32bit Release)
gnome-packagekit-common-3.4.0-1.mga2 (Core Release)
pinentry-gtk2-0.8.1-3.mga2 (Core 32bit Release)
pinentry-gtk2-0.8.1-3.mga2 (Core Release)
pinentry-qt4-0.8.1-3.mga2 (Core 32bit Release)
pinentry-qt4-0.8.1-3.mga2 (Core Release)
polkit-gnome-0.105-1.mga2 (Core 32bit Release)
polkit-gnome-0.105-1.mga2 (Core Release)
polkit-kde-agent-1-0.99.0-2.mga1 (Core 32bit Release)
polkit-kde-agent-1-0.99.0-2.mga1 (Core Release)
----------------------------------------
Done.

libotr doesn't seem affected.
Comment 11 claire robinson 2012-07-03 13:35:24 CEST
$ ./depcheck pidgin-otr "Core Release" "Core Updates Testing" 
----------------------------------------
Running checks for "pidgin-otr" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is pidgin-otr-3.2.0-3.mga1
Latest version found in "Core Updates Testing" is pidgin-otr-3.2.0-3.1.mga1
----------------------------------------
The following packages will require linking:

gnome-packagekit-common-2.32.0-3.mga1 (Core 32bit Release)
gnome-packagekit-common-2.32.0-3.mga1 (Core Release)
kpackagekit-common-0.6.3.3-2.mga1 (Core 32bit Release)
kpackagekit-common-0.6.3.3-2.mga1 (Core Release)
notification-daemon-0.5.0-2.mga1 (Core 32bit Release)
notification-daemon-0.5.0-2.mga1 (Core Release)
xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release)
xfce4-notifyd-0.2.1-3.mga1 (Core Release)
----------------------------------------
Done.
Comment 12 Thomas Backlund 2012-07-09 15:44:07 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0140

Note You need to log in before you can comment on or make changes to this bug.