On Thu, 10 Mar 2016 10:10:07 +0100, Stefan Sperling wrote: > On Wed, Mar 09, 2016 at 05:32:47PM -0800, Michael McConville wrote: > > Is anyone working on updates for security/libotr and > > security/pidgin-otr? There were releases addressing a scary > > vulnerability this morning: > > > > https://marc.info/?l=otr-announce&m=145754687614832&w=2 > > > > If not, I probably have time to work on it tonight. > > These should be updated, but there's no reason to hurry up very very much. > > The libotr problem depends on malloc(0) returning a pointer that doesn't > segfault when it is used. On OpenBSD the program will crash at the point > where the attacker tries to overwrite the heap. > Unless there's another avenue for this exploit which doesn't use malloc(0), > but the advisory only mentions malloc(0). > See http://seclists.org/oss-sec/2016/q1/568 > > security/pidgin-otr has been already patched in our ports tree by me in > 2015 (before 5.8). I reported this bug and they left it sit for 9 months > until Hanno Boeck reported the same problem again: > https://bugs.otr.im/issues/88 > pidgin-otr crashed on OpenBSD immediately, which is why I noticed. > >
Works for me with all OTR-capable messengers (Kopete untested). No API change apparently, so no bump. "make update-plist" re-added share/aclocal; is that due to some change in dependencies? Index: Makefile =================================================================== RCS file: /cvs/ports/security/libotr/Makefile,v retrieving revision 1.27 diff -u -p -r1.27 Makefile --- Makefile 19 Jul 2015 08:18:52 -0000 1.27 +++ Makefile 10 Mar 2016 10:08:27 -0000 @@ -2,7 +2,7 @@ COMMENT= portable OTR messaging library and toolkit -DISTNAME= libotr-4.1.0 +DISTNAME= libotr-4.1.1 CATEGORIES= security SHARED_LIBS += otr 4.1 # 6.0 Index: distinfo =================================================================== RCS file: /cvs/ports/security/libotr/distinfo,v retrieving revision 1.9 diff -u -p -r1.9 distinfo --- distinfo 3 Apr 2015 16:15:40 -0000 1.9 +++ distinfo 10 Mar 2016 10:08:27 -0000 @@ -1,2 +1,2 @@ -SHA256 (libotr-4.1.0.tar.gz) = T9uJGUDsidMAGQqY9pqROCSNy4yNM3Yz+5gbjQqc2TA= -SIZE (libotr-4.1.0.tar.gz) = 576771 +SHA256 (libotr-4.1.1.tar.gz) = izsYJCQlEGepUvtObHuVoh5kT7sn+9X4rysu2HykGfU= +SIZE (libotr-4.1.1.tar.gz) = 655791 Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/libotr/pkg/PLIST,v retrieving revision 1.7 diff -u -p -r1.7 PLIST --- pkg/PLIST 16 Mar 2015 18:07:54 -0000 1.7 +++ pkg/PLIST 10 Mar 2016 10:08:27 -0000 @@ -33,4 +33,5 @@ lib/pkgconfig/libotr.pc @man man/man1/otr_remac.1 @man man/man1/otr_sesskeys.1 @man man/man1/otr_toolkit.1 +share/aclocal/ share/aclocal/libotr.m4