Libtech, Please be aware of the announcement of a remotely exploitable vulnerability for the package 'pidgin-otr' -- the popular plugin that allows users of the Pidgin instant messaging client to conduct conversations off-the-record. This is pretty important as the software has been recommended by many of the organizations doing security trainings. Anyone using this software should upgrade immediately, and pass this information to colleagues.
Cordially, Collin Source: http://lists.cypherpunks.ca/pipermail/otr-announce/2012-May/000026.html ------- [OTR-announce] Format string security flaw in pidgin-otr: UPGRADE TO 3.2.1! Ian Goldberg ian at cypherpunks.ca Wed May 16 08:09:10 EDT 2012 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Off-the-Record Messaging (OTR) Security Advisory 2012-01 Format string security flaw in pidgin-otr Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine. The flaw is in pidgin-otr, not in libotr. Other applications which use libotr are not affected. CVE-2012-2369 has been assigned to this issue. The recommended course of action is to upgrade pidgin-otr to version 3.2.1 immediately. The new version can be obtained here: Windows installer: http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe gpg signature: http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1-1.exe.asc Windows zip file: http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip gpg signature: http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.1.zip.asc Source code: http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz gpg signature: http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz.asc git repository: git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev) Version 4.0.0 (soon to be released) does not suffer from this flaw. Linux and *BSD vendors and package maintainers have been notified, and updated packages should be available from them. If upgrading to version 3.2.1 is not possible, please apply the following patch to 3.2.0: --- a/otr-plugin.c +++ b/otr-plugin.c @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte static void log_message_cb(void *opdata, const char *message) { - purple_debug_info("otr", message); + purple_debug_info("otr", "%s", message); } static int max_message_size_cb(void *opdata, ConnContext *context) Our heartfelt thanks to intrigeri <intrigeri at boum.org> for finding and alerting us to this flaw. Followups to the otr-users mailing list <otr-users at lists.cypherpunks.ca>, please. Your OTR development team, Ian Goldberg <iang at cs.uwaterloo.ca> Rob Smits <rdfsmits at cs.uwaterloo.ca> -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
_______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech