Hi everyone, Ubuntu apt-get update/upgrade showed me a new package for pidgin-otr, but not the vulnerability bugfix 3.2.1 (From terminal: "Preparing to replace pidgin-otr 3.2.0-5 (using .../pidgin-otr_3.2.0-5ubuntu0.11.10.1_amd64.deb) ...")
https://launchpad.net/ubuntu/+source/pidgin-otr/ now shows a pidgin-otr 3.2.1 upgrade for Quantal, but only 3.2.0-5 for Oneiric (uploaded 9 hours ago). The newest version should be 3.2.1, right? I tried to route around the PPAs by building from source using the info from the link in Collin's email (below), but "gpg --verify pidgin-otr-3.2.1.tar.gz.asc pidgin-otr-3.2.1.tar.gz" oddly gave me (and someone else) "Can't check signature: public key not found" Looks like there are problems here that aren't due to me, but I don't know exactly know what I'm doing, either. Sorry! Halp? :-Douglas On Wed, May 16, 2012 at 6:06 PM, Collin Anderson <col...@averysmallbird.com>wrote: > Libtech, > > Please be aware of the announcement of a remotely exploitable > vulnerability for the package 'pidgin-otr' -- the popular plugin that > allows users of the Pidgin instant messaging client to conduct > conversations off-the-record. This is pretty important as the software has > been recommended by many of the organizations doing security trainings. > Anyone using this software should upgrade immediately, and pass this > information to colleagues. > > Cordially, > Collin > > Source: > http://lists.cypherpunks.ca/pipermail/otr-announce/2012-May/000026.html > > ------- > > [OTR-announce] Format string security flaw in pidgin-otr: UPGRADE TO > 3.2.1! > > Ian Goldberg ian at cypherpunks.ca > Wed May 16 08:09:10 EDT 2012 > Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > Off-the-Record Messaging (OTR) Security Advisory 2012-01 > > Format string security flaw in pidgin-otr > > Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format > string security flaw. This flaw could potentially be exploited by > a remote attacker to cause arbitrary code to be executed on the user's > machine. > > The flaw is in pidgin-otr, not in libotr. Other applications which use > libotr are not affected. > > CVE-2012-2369 has been assigned to this issue. > > The recommended course of action is to upgrade pidgin-otr to version > 3.2.1 immediately. The new version can be obtained here: > > Windows installer: > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe > gpg signature: > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe.asc > > Windows zip file: > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip > gpg signature: > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip.asc > > Source code: > http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz > gpg signature: > http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz.asc > > git repository: > git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev) > > Version 4.0.0 (soon to be released) does not suffer from this flaw. > > Linux and *BSD vendors and package maintainers have been notified, and > updated packages should be available from them. > > If upgrading to version 3.2.1 is not possible, please apply the > following patch to 3.2.0: > > > --- a/otr-plugin.c > +++ b/otr-plugin.c > @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext > *conte > > static void log_message_cb(void *opdata, const char *message) > { > - purple_debug_info("otr", message); > + purple_debug_info("otr", "%s", message); > } > > static int max_message_size_cb(void *opdata, ConnContext *context) > > > > Our heartfelt thanks to intrigeri <intrigeri at boum.org> for finding and > alerting us to this flaw. > > Followups to the otr-users mailing list <otr-users at lists.cypherpunks.ca > >, > please. > > Your OTR development team, > Ian Goldberg <iang at cs.uwaterloo.ca> > Rob Smits <rdfsmits at cs.uwaterloo.ca> > > -- > *Collin David Anderson* > averysmallbird.com | @cda | Washington, D.C. > > > _______________________________________________ > liberationtech mailing list > liberationtech@lists.stanford.edu > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click > above) next to "would you like to receive list mail batched in a daily > digest?" > > You will need the user name and password you receive from the list > moderator in monthly reminders. You may ask for a reminder here: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech >
_______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
