Mandriva has issued an advisory today (August 13): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 Mageia 1 and Mageia 2 are also affected. A patch is available from Mandriva. It also sounds like it's fixed upstream in 3.2.1 from the Debian bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121 Info at the RedHat bug too. https://bugzilla.redhat.com/show_bug.cgi?id=846377
CC: (none) => oliver.bgrWhiteboard: (none) => MGA2TOO, MGA1TOO
Assignee: bugsquad => oliver.bgr
Fixed for 1, 2 and Cauldron. For 1 and 2 SRPM in question: libotr-3.2.0-5.2.mgaX.src.rpm RPMs in question: lib64otr2 libotr-debug lib64otr-devel libotr-utils --- Advisory --- This update fixes a security problem in libotr reported by Debian, Fedora and Mandriva http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121 https://bugzilla.redhat.com/show_bug.cgi?id=846377 ----------------
Assignee: oliver.bgr => qa-bugs
Thanks Oliver! BTW, you could update libotr and pidgin-otr to 3.2.1 in Cauldron, as IIRC from the security bug discussions, they are the same as 3.2.0+security patch. Fleshing out the advisory a bit... Advisory: ======================== Updated libotr packages fix security vulnerability: Just Ferguson discovered that libotr, an off-the-record (OTR) messaging library, can be forced to perform zero-length allocations for heap buffers that are used in base64 decoding routines. An attacker can exploit this flaw by sending crafted messages to an application that is using libotr to perform denial of service attacks or potentially execute arbitrary code (CVE-2012-3461). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 ======================== Updated packages in core/updates_testing: ======================== libotr2-3.2.0-5.2.mga1 libotr-devel-3.2.0-5.2.mga1 libotr-utils-3.2.0-5.2.mga1 libotr2-3.2.0-5.2.mga2 libotr-devel-3.2.0-5.2.mga2 libotr-utils-3.2.0-5.2.mga2 from SRPMS: libotr-3.2.0-5.2.mga1.src.rpm libotr-3.2.0-5.2.mga2.src.rpm
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
pidgin-otr is already 3.2.1, libotr is still 3.2.0. Upstream did fix it in their cvs but they did not release a new tar ball.
(In reply to comment #3) > pidgin-otr is already 3.2.1, libotr is still 3.2.0. > Upstream did fix it in their cvs but they did not release a new tar ball. It may not have been announced, but the tarball does exist. http://www.cypherpunks.ca/otr/libotr-3.2.1.tar.gz Debian also has it packaged already. http://packages.debian.org/search?keywords=libotr
I only looked at the website, thx. New version submitted for Cauldron.
URL: (none) => http://lwn.net/Vulnerabilities/511058/Severity: normal => major
I can't really give a testing procedure. But my pidgin works with the new libotr, any idea how else to test it but using an app, that's working with it? Tested on Mga2 x86_64.
(In reply to comment #6) > I can't really give a testing procedure. > > But my pidgin works with the new libotr, any idea how else to test it but using > an app, that's working with it? > > Tested on Mga2 x86_64. If strace shows that pidgin actually uses the lib, this is usually sufficient testing. There's also libotr-utils that can be useful to test some basic functions of the lib.
CC: (none) => stormi
For the record, here is how Dave Hodgins tested the previous pigdin-otr + libotr update: https://bugs.mageia.org/show_bug.cgi?id=6007#c5
I'll be testing this shortly.
CC: (none) => davidwhodgins
Testing complete using my regular account on a Mageia 2 x86-64 host with VB guests for Mageia 2 i586, Mageia 1 i586 and x86-64 using an account setup just for qa testing. Could someone from the sysadmin team push the srpm libotr-3.2.0-5.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm libotr-3.2.0-5.2.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated libotr packages fix security vulnerability: Just Ferguson discovered that libotr, an off-the-record (OTR) messaging library, can be forced to perform zero-length allocations for heap buffers that are used in base64 decoding routines. An attacker can exploit this flaw by sending crafted messages to an application that is using libotr to perform denial of service attacks or potentially execute arbitrary code (CVE-2012-3461). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:131 https://bugs.mageia.org/show_bug.cgi?id=7043
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO => MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0223
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED