This is fixed in Cauldron.  Updates for Mageia 1 and Mageia 2 are still needed.

Version: 1 => 2
Whiteboard: (none) => MGA1TOO

Fixed for 1 and 2.

@David: I only saw this by chance, please assign to maintainer next time.


Advisory libotr:
---
This update only removes the la file from the devel package,
because pidgin-otr won't build with it
---

Advisory pidgin-otr:
---
This update fixes a possible security flaw (CVE--2012-2369)
---

Assignee: bugsquad => qa-bugs

(In reply to comment #2)
> Fixed for 1 and 2.

Thanks Oliver.

> @David: I only saw this by chance, please assign to maintainer next time.

Aren't you the maintainer?

Here's a suggested advisory, to give a little more information.

Suggested Advisory:
========================

Updated pidgin-otr package fixes security vulnerability:

Format string vulnerability in the log_message_cb function in
otr-plugin.c in the Off-the-Record Messaging (OTR) pidgin-otr plugin
before 3.2.1 for Pidgin might allow remote attackers to execute
arbitrary code via format string specifiers in data that generates
a log message (CVE-2012-2369).

libotr has also been updated to remove the .la file from the -devel
package, so that pidgin-otr will build correctly.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html
========================

Updated packages in core/updates_testing:
========================
libotr2-3.2.0-5.1.mga1
libotr-devel-3.2.0-5.1.mga1
libotr-utils-3.2.0-5.1.mga1
libotr2-3.2.0-5.1.mga2
libotr-devel-3.2.0-5.1.mga2
libotr-utils-3.2.0-5.1.mga2
pidgin-otr-3.2.0-3.1.mga1
pidgin-otr-3.2.0-3.1.mga2

from SRPMS:
libotr-3.2.0-5.1.mga1.src.rpm
libotr-3.2.0-5.1.mga2.src.rpm
pidgin-otr-3.2.0-3.1.mga1.src.rpm
pidgin-otr-3.2.0-3.1.mga2.src.rpm

Testing complete on i586.

For testing I used pidgin on Mageia 2 and pidgin in a Mageia 1 VB guest,
both using hotmail accounts, although separate accounts.

After enabling the otr plugin, and configuring it to generate a key for
each account, I was able to initiate private chatting.

I did notice that generating the key can take a very long time.  Running
it under strace showed it was reading from /dev/random, instead of
/dev/urandom.  While that can be rather annoying, I don't consider it
to be a real bug, just an annoyance.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO,mga1-32-OK,mga2-32-OK

Seems to work fine(In reply to comment #5)
> Testing complete on i586.
> 

Testing complete on Mageia 2 x86-64 .

I was able to initiate a conversation between two of my accounts - both on @gmail.com and it worked fine.

The plugin appears to work fine.

Regards,

-- Shlomi Fish

> For testing I used pidgin on Mageia 2 and pidgin in a Mageia 1 VB guest,
> both using hotmail accounts, although separate accounts.
> 
> After enabling the otr plugin, and configuring it to generate a key for
> each account, I was able to initiate private chatting.
> 
> I did notice that generating the key can take a very long time.  Running
> it under strace showed it was reading from /dev/random, instead of
> /dev/urandom.  While that can be rather annoying, I don't consider it
> to be a real bug, just an annoyance.

CC: (none) => shlomif

OK, now also tested it in a 64-bit Mageia 1 VM. Seems fine. I talked to it from a Pidgin on my x86-64 Cauldron host.

Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, MGA2-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, MGA2-64-OK, mga1-64-OK

This is ready for validating Shlomi, thanks for testing, would you like to do the honours?

Advisory:
=========

Updated pidgin-otr package fixes security vulnerability:

Format string vulnerability in the log_message_cb function in
otr-plugin.c in the Off-the-Record Messaging (OTR) pidgin-otr plugin
before 3.2.1 for Pidgin might allow remote attackers to execute
arbitrary code via format string specifiers in data that generates
a log message (CVE-2012-2369).

libotr has also been updated to remove the .la file from the -devel
package, so that pidgin-otr will build correctly.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080621.html
========================

Updated packages in core/updates_testing:
========================
libotr2-3.2.0-5.1.mga1
libotr-devel-3.2.0-5.1.mga1
libotr-utils-3.2.0-5.1.mga1
libotr2-3.2.0-5.1.mga2
libotr-devel-3.2.0-5.1.mga2
libotr-utils-3.2.0-5.1.mga2
pidgin-otr-3.2.0-3.1.mga1
pidgin-otr-3.2.0-3.1.mga2

from SRPMS:
libotr-3.2.0-5.1.mga1.src.rpm
libotr-3.2.0-5.1.mga2.src.rpm
pidgin-otr-3.2.0-3.1.mga1.src.rpm
pidgin-otr-3.2.0-3.1.mga2.src.rpm


Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
------------------------------------------------

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

This one also seems affected by bug 2317. Adding a depends.

$ ./depcheck pidgin-otr "Core Release" "Core Updates Testing"
----------------------------------------
Running checks for "pidgin-otr" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is pidgin-otr-3.2.0-3.mga1
Latest version found in "Core Updates Testing" is pidgin-otr-3.2.0-3.1.mga2
----------------------------------------
The following packages will require linking:

apper-0.7.1-1.mga2 (Core 32bit Release)
apper-0.7.1-1.mga2 (Core Release)
gnome-packagekit-common-3.4.0-1.mga2 (Core 32bit Release)
gnome-packagekit-common-3.4.0-1.mga2 (Core Release)
pinentry-gtk2-0.8.1-3.mga2 (Core 32bit Release)
pinentry-gtk2-0.8.1-3.mga2 (Core Release)
pinentry-qt4-0.8.1-3.mga2 (Core 32bit Release)
pinentry-qt4-0.8.1-3.mga2 (Core Release)
polkit-gnome-0.105-1.mga2 (Core 32bit Release)
polkit-gnome-0.105-1.mga2 (Core Release)
polkit-kde-agent-1-0.99.0-2.mga1 (Core 32bit Release)
polkit-kde-agent-1-0.99.0-2.mga1 (Core Release)
----------------------------------------
Done.

libotr doesn't seem affected.

Depends on: (none) => 2317

$ ./depcheck pidgin-otr "Core Release" "Core Updates Testing" 
----------------------------------------
Running checks for "pidgin-otr" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is pidgin-otr-3.2.0-3.mga1
Latest version found in "Core Updates Testing" is pidgin-otr-3.2.0-3.1.mga1
----------------------------------------
The following packages will require linking:

gnome-packagekit-common-2.32.0-3.mga1 (Core 32bit Release)
gnome-packagekit-common-2.32.0-3.mga1 (Core Release)
kpackagekit-common-0.6.3.3-2.mga1 (Core 32bit Release)
kpackagekit-common-0.6.3.3-2.mga1 (Core Release)
notification-daemon-0.5.0-2.mga1 (Core 32bit Release)
notification-daemon-0.5.0-2.mga1 (Core Release)
xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release)
xfce4-notifyd-0.2.1-3.mga1 (Core Release)
----------------------------------------
Done.

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0140

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED