Bug 7043 - libotr new security issue CVE-2012-3461
: libotr new security issue CVE-2012-3461
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/511058/
: MGA2-32-OK MGA1-64-OK MGA1-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-13 16:49 CEST by David Walser
Modified: 2012-08-18 12:12 CEST (History)
5 users (show)

See Also:
Source RPM: libotr-3.2.0-5.1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-13 16:49:44 CEST
Mandriva has issued an advisory today (August 13):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131

Mageia 1 and Mageia 2 are also affected.

A patch is available from Mandriva.

It also sounds like it's fixed upstream in 3.2.1 from the Debian bug.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121

Info at the RedHat bug too.
https://bugzilla.redhat.com/show_bug.cgi?id=846377
Comment 1 Oliver Burger 2012-08-14 19:41:56 CEST
Fixed for 1, 2 and Cauldron.

For 1 and 2 SRPM in question:
libotr-3.2.0-5.2.mgaX.src.rpm
RPMs in question:
lib64otr2
libotr-debug
lib64otr-devel
libotr-utils

--- Advisory ---
This update fixes a security problem in libotr reported by Debian, Fedora and Mandriva
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121
https://bugzilla.redhat.com/show_bug.cgi?id=846377
----------------
Comment 2 David Walser 2012-08-14 19:47:43 CEST
Thanks Oliver!

BTW, you could update libotr and pidgin-otr to 3.2.1 in Cauldron, as IIRC from the security bug discussions, they are the same as 3.2.0+security patch.

Fleshing out the advisory a bit...

Advisory:
========================

Updated libotr packages fix security vulnerability:

Just Ferguson discovered that libotr, an off-the-record (OTR) messaging
library, can be forced to perform zero-length allocations for heap
buffers that are used in base64 decoding routines. An attacker can
exploit this flaw by sending crafted messages to an application that
is using libotr to perform denial of service attacks or potentially
execute arbitrary code (CVE-2012-3461).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131
========================

Updated packages in core/updates_testing:
========================
libotr2-3.2.0-5.2.mga1
libotr-devel-3.2.0-5.2.mga1
libotr-utils-3.2.0-5.2.mga1
libotr2-3.2.0-5.2.mga2
libotr-devel-3.2.0-5.2.mga2
libotr-utils-3.2.0-5.2.mga2

from SRPMS:
libotr-3.2.0-5.2.mga1.src.rpm
libotr-3.2.0-5.2.mga2.src.rpm
Comment 3 Oliver Burger 2012-08-14 19:52:14 CEST
pidgin-otr is already 3.2.1, libotr is still 3.2.0.
Upstream did fix it in their cvs but they did not release a new tar ball.
Comment 4 David Walser 2012-08-14 19:58:11 CEST
(In reply to comment #3)
> pidgin-otr is already 3.2.1, libotr is still 3.2.0.
> Upstream did fix it in their cvs but they did not release a new tar ball.

It may not have been announced, but the tarball does exist.
http://www.cypherpunks.ca/otr/libotr-3.2.1.tar.gz

Debian also has it packaged already.
http://packages.debian.org/search?keywords=libotr
Comment 5 Oliver Burger 2012-08-14 20:34:45 CEST
I only looked at the website, thx.

New version submitted for Cauldron.
Comment 6 Oliver Burger 2012-08-16 09:28:11 CEST
I can't really give a testing procedure.

But my pidgin works with the new libotr, any idea how else to test it but using an app, that's working with it?

Tested on Mga2 x86_64.
Comment 7 Samuel Verschelde 2012-08-16 09:31:00 CEST
(In reply to comment #6)
> I can't really give a testing procedure.
> 
> But my pidgin works with the new libotr, any idea how else to test it but using
> an app, that's working with it?
> 
> Tested on Mga2 x86_64.

If strace shows that pidgin actually uses the lib, this is usually sufficient testing. There's also libotr-utils that can be useful to test some basic functions of the lib.
Comment 8 Samuel Verschelde 2012-08-16 22:56:19 CEST
For the record, here is how Dave Hodgins tested the previous pigdin-otr + libotr update: https://bugs.mageia.org/show_bug.cgi?id=6007#c5
Comment 9 Dave Hodgins 2012-08-18 00:03:33 CEST
I'll be testing this shortly.
Comment 10 Dave Hodgins 2012-08-18 01:11:47 CEST
Testing complete using my regular account on a Mageia 2 x86-64 host
with VB guests for Mageia 2 i586, Mageia 1 i586 and x86-64 using an
account setup just for qa testing.

Could someone from the sysadmin team push the srpm
libotr-3.2.0-5.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
libotr-3.2.0-5.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated libotr packages fix security vulnerability:

Just Ferguson discovered that libotr, an off-the-record (OTR) messaging
library, can be forced to perform zero-length allocations for heap
buffers that are used in base64 decoding routines. An attacker can
exploit this flaw by sending crafted messages to an application that
is using libotr to perform denial of service attacks or potentially
execute arbitrary code (CVE-2012-3461).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131

https://bugs.mageia.org/show_bug.cgi?id=7043
Comment 11 Thomas Backlund 2012-08-18 12:12:04 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0223

Note You need to log in before you can comment on or make changes to this bug.