Re: update: security/pidgin-otr

Fri, 03 Apr 2015 04:45:12 -0700 

On Fri, Apr 03, 2015 at 11:56:52AM +0100, Stefan Sperling wrote:
> On Fri, Apr 03, 2015 at 11:30:26AM +0100, Stefan Sperling wrote:
> > Update pidgin-otr to 4.0.1.
> > 
> > ok?
> 
> Mikolaj Kucharski pointed out that I accidentally removed EPOCH.

And another fix.

The OTR->Authenticate buddy option does not open the socialist millionaires
dialog for me (this problem has existed for quite a while).
The code for this dialog relies on use-after-free.
In create_smp_dialog(), we have:

    SMPData *smp_data = purple_conversation_get_data(conv, "otr-smpdata");

    [...]

    /* If you start SMP authentication on a different context, it
     * will kill any existing SMP */
    if (smp_data->their_instance != context->their_instance) {
        otrg_gtk_dialog_free_smp_data(conv);
        otrg_gtk_dialog_add_smp_data(conv);
    }

At this point, smp_data points to memory freed in 
otrg_gtk_dialog_free_smp_data().

(gdb) p *smp_data                                                               
                                    [1104/1916]
$13 = {smp_secret_dialog = 0xdfdfdfdfdfdfdfdf, smp_secret_smppair = 
0xdfdfdfdfdfdfdfdf, 
  smp_progress_dialog = 0xdfdfdfdfdfdfdfdf, smp_progress_bar = 
0xdfdfdfdfdfdfdfdf, smp_progress_label = 0xdfdfdfdfdfdfdfdf, 
  their_instance = 3755991007}

But pidgin-otr just keeps using it:

    if (!(smp_data->smp_secret_dialog)) {
    [...]

I'll submit my patch upstream.

ok?

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/pidgin-otr/Makefile,v
retrieving revision 1.20
diff -u -p -r1.20 Makefile
--- Makefile    15 Aug 2013 16:33:31 -0000      1.20
+++ Makefile    3 Apr 2015 10:54:27 -0000
@@ -2,11 +2,11 @@
 
 COMMENT =      allows deniable private conversations using Pidgin
 
-DISTNAME =     pidgin-otr-4.0.0
+DISTNAME =     pidgin-otr-4.0.1
 CATEGORIES =   security net
 EPOCH =                0
 
-HOMEPAGE =     http://www.cypherpunks.ca/otr/
+HOMEPAGE =     http://otr.cypherpunks.ca/
 
 MASTER_SITES = ${HOMEPAGE}
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/pidgin-otr/distinfo,v
retrieving revision 1.5
diff -u -p -r1.5 distinfo
--- distinfo    15 Aug 2013 16:33:31 -0000      1.5
+++ distinfo    3 Apr 2015 09:47:57 -0000
@@ -1,2 +1,2 @@
-SHA256 (pidgin-otr-4.0.0.tar.gz) = 1Ws/CS2+nuZZdkHH0t0pSITcBLpHqvTsVxzVSXffRpE=
-SIZE (pidgin-otr-4.0.0.tar.gz) = 459591
+SHA256 (pidgin-otr-4.0.1.tar.gz) = G3gfSMJ7zJ3jE2wGdIEN8j99a0THJ9v037JAZ5Cb8wo=
+SIZE (pidgin-otr-4.0.1.tar.gz) = 496879
Index: patches/patch-gtk-dialog_c
===================================================================
RCS file: patches/patch-gtk-dialog_c
diff -N patches/patch-gtk-dialog_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-gtk-dialog_c  3 Apr 2015 11:29:37 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+Don't use smp_data after free.
+--- gtk-dialog.c.orig  Fri Apr  3 12:29:01 2015
++++ gtk-dialog.c       Fri Apr  3 12:28:13 2015
+@@ -778,6 +778,7 @@ static GtkWidget *create_smp_dialog(const char *title,
+     if (smp_data->their_instance != context->their_instance) {
+       otrg_gtk_dialog_free_smp_data(conv);
+       otrg_gtk_dialog_add_smp_data(conv);
++      smp_data = purple_conversation_get_data(conv, "otr-smpdata");
+     }
+ 
+     if (!(smp_data->smp_secret_dialog)) {

Reply via email to