The update is ready I'm about to upload it. Thx
Le 16 mai 2012 à 06:56, Jonathan Wiltshire <j...@debian.org> a écrit :
> Package: pidgin-otr
> Version: 3.2.0-5
> Severity: serious
> Tags: security upstream patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for pidgin-otr.
>
> CVE-2012-2369[0]:
> | Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
> | string security flaw. This flaw could potentially be exploited by
> | a remote attacker to cause arbitrary code to be executed on the user's
> | machine.
>
> Upstream's patch:
>
> --- a/otr-plugin.c
> +++ b/otr-plugin.c
> @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext
> *conte
>
> static void log_message_cb(void *opdata, const char *message)
> {
> - purple_debug_info("otr", message);
> + purple_debug_info("otr", "%s", message);
> }
>
> static int max_message_size_cb(void *opdata, ConnContext *context)
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> I will shortly prepare an update for stable unless you wish to.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
> http://security-tracker.debian.org/tracker/CVE-2012-2369
>
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
> 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
