On Wed, Mar 09, 2016 at 05:32:47PM -0800, Michael McConville wrote: > Is anyone working on updates for security/libotr and > security/pidgin-otr? There were releases addressing a scary > vulnerability this morning: > > https://marc.info/?l=otr-announce&m=145754687614832&w=2 > > If not, I probably have time to work on it tonight.
These should be updated, but there's no reason to hurry up very very much. The libotr problem depends on malloc(0) returning a pointer that doesn't segfault when it is used. On OpenBSD the program will crash at the point where the attacker tries to overwrite the heap. Unless there's another avenue for this exploit which doesn't use malloc(0), but the advisory only mentions malloc(0). See http://seclists.org/oss-sec/2016/q1/568 security/pidgin-otr has been already patched in our ports tree by me in 2015 (before 5.8). I reported this bug and they left it sit for 9 months until Hanno Boeck reported the same problem again: https://bugs.otr.im/issues/88 pidgin-otr crashed on OpenBSD immediately, which is why I noticed.
