[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
** Changed in: pidgin-otr (Debian) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
** Branch linked: lp:ubuntu/oneiric-security/pidgin-otr ** Branch linked: lp:ubuntu/natty-security/pidgin-otr ** Branch linked: lp:ubuntu/lucid-security/pidgin-otr ** Branch linked: lp:ubuntu/precise-security/pidgin-otr -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.10.04.1 --- pidgin-otr (3.2.0-5ubuntu0.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: format string vulnerability (LP: #1000363) - otr-plugin.c: patch from upstream - CVE-2012-2369 -- Felix GeyerWed, 16 May 2012 20:59:11 +0200 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.11.04.1 --- pidgin-otr (3.2.0-5ubuntu0.11.04.1) natty-security; urgency=low * SECURITY UPDATE: format string vulnerability (LP: #1000363) - otr-plugin.c: patch from upstream - CVE-2012-2369 -- Felix GeyerWed, 16 May 2012 20:59:11 +0200 ** Changed in: pidgin-otr (Ubuntu Lucid) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.11.10.1 --- pidgin-otr (3.2.0-5ubuntu0.11.10.1) oneiric-security; urgency=low * SECURITY UPDATE: format string vulnerability (LP: #1000363) - otr-plugin.c: patch from upstream - CVE-2012-2369 -- Felix GeyerWed, 16 May 2012 21:16:05 -0700 ** Changed in: pidgin-otr (Ubuntu Natty) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.12.04.1 --- pidgin-otr (3.2.0-5ubuntu0.12.04.1) precise-security; urgency=low * SECURITY UPDATE: format string vulnerability (LP: #1000363) - otr-plugin.c: patch from upstream - CVE-2012-2369 -- Felix GeyerWed, 16 May 2012 20:59:11 +0200 ** Changed in: pidgin-otr (Ubuntu Precise) Status: Confirmed => Fix Released ** Changed in: pidgin-otr (Ubuntu Oneiric) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Felix, thanks for the debdiff, it looks good. I adjusted it to target precise-security and also applied it back through lucid, and will publish it shortly. Also to clarify what Kees pointed out, because it was compiled with fortify source (see https://wiki.ubuntu.com/Security/Features#fortify-source), the issue is most likely limited to an information disclosure or denial of service attack. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
-Werror=format-security is a default flag of dpkg-buildflags but unfortunately not all packages use that yet. I have filed Debian bug #673184 to fix that in pidgin-otr. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
This bug was fixed in the package pidgin-otr - 3.2.1-1 --- pidgin-otr (3.2.1-1) unstable; urgency=critical * New upstream release * Fix for CVE-2012-2369 * Clean lintian warnings -- Thibaut VARENE Mon, 14 May 2012 21:31:23 +0200 ** Changed in: pidgin-otr (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Having -Werror=format-security would have caught this early but I assume it's not part of the default build options for good reasons (too many packages would break?). Thanks for the clarifications Kees, that indeed reduces the benefit of using hardening-wrapper. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Ubuntu already builds by default with everything except PIE (and bindnow) from hardening-wrapper. Since it's a shared library (plugin), adding PIE wouldn't change anything. https://wiki.ubuntu.com/Security/Features#fortify-source https://wiki.ubuntu.com/ToolChain/CompilerFlags $ hardening-check /usr/lib/pidgin/pidgin-otr.so /usr/lib/pidgin/pidgin-otr.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Maybe that would worth enabling the hardening-wrapper too ? I did a test build and the hardened package works well. Is this something that worth sending to Ubuntu/Debian ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
I'm attaching a debdiff for precise but lucid - oneiric have the exact same package version. I have checked (with -Werror=format-security) that there are no other format string issues pidgin-otr (3.2.0-5ubuntu0.12.04.1) precise; urgency=low * SECURITY UPDATE: format string vulnerability (LP: #1000363) - otr-plugin.c: patch from upstream - CVE-2012-2369 -- Felix Geyer Wed, 16 May 2012 20:59:11 +0200 ** Patch added: "pidgin-otr_3.2.0-5ubuntu0.12.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+attachment/3149540/+files/pidgin-otr_3.2.0-5ubuntu0.12.04.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pidgin-otr (Ubuntu Precise) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pidgin-otr (Ubuntu Oneiric) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pidgin-otr (Ubuntu Natty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pidgin-otr (Ubuntu Lucid) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: pidgin-otr (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1000363] Re: CVE-2012-2369: Format string security vulnerability
** Changed in: pidgin-otr (Debian) Status: Unknown => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1000363 Title: CVE-2012-2369: Format string security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin-otr/+bug/1000363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
