Processed: Re: Bug#732842: pu: package libotr/3.2.1-1

[Debian Bug Tracking System]

Processing control commands:

 tag -1 pending
Bug #732842 [release.debian.org] pu: package libotr/3.2.1-1
Added tag(s) pending.

-- 
732842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732842
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b732842.138861476821308.transcr...@bugs.debian.org

Bug#732842: pu: package libotr/3.2.1-1

[Jonathan Wiltshire]

Control: tag -1 pending

On 2013-12-22 17:16, intrigeri wrote:

Hi,

Cyril Brulebois wrote (22 Dec 2013 16:51:49 GMT) :

intrigeri intrig...@debian.org (2013-12-22):

May I upload libotr 3.2.1-1+deb7u1 to stable?



Looks fine to me.


Thanks, uploaded.


Flagged for acceptance.

Thanks,

--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

directhex i have six years of solaris sysadmin experience, from
8-10. i am well qualified to say it is made from bonghits
layered on top of bonghits


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/73ae9e810e63f7ef6b0e9e296bd96...@hogwarts.powdarrmonkey.net

Bug#732842: pu: package libotr/3.2.1-1

[intrigeri]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

As discussed on #725779 in more details, the OTRv1 protocol has serious security
issues. Clients supporting it (in addition to more recent, safer versions of the
protocol) are subject to protocol downgrade attacks.

This is why I have proposed to drop support for OTRv1 in libotr in Wheezy.
As the discussion on the aforementioned bug indicates, the maintainer agrees and
the lead upstream developer confirms it is totally fine.

I have therefore backported the relevant bits of the upstream commit that does
just the same in libotr 4.x (currently in testing/sid). The resulting package
was successfully tested with pidgin-otr on Wheezy, and inter-operates correctly
with sid's pidgin-otr and irssi-otr 1.0.0~alpha2-1~bpo70+1.

FTR, testing/sid has libotr 4.x that is not affected by these issues.

May I upload libotr 3.2.1-1+deb7u1 to stable?
diff -Nru libotr-3.2.1/debian/changelog libotr-3.2.1/debian/changelog
--- libotr-3.2.1/debian/changelog	2012-08-07 12:25:12.0 +0200
+++ libotr-3.2.1/debian/changelog	2013-12-22 12:06:00.0 +0100
@@ -1,3 +1,10 @@
+libotr (3.2.1-1+deb7u1) stable; urgency=medium
+
+  * Non-maintainer upload with maintainer's agreement.
+  * Disable insecure OTRv1 protocol (Closes: #725779)
+
+ -- intrigeri intrig...@debian.org  Sun, 22 Dec 2013 11:35:06 +0100
+
 libotr (3.2.1-1) unstable; urgency=high
 
   * Fix potential buffer overflow in base64 routines (Closes: #684121)
diff -Nru libotr-3.2.1/debian/patches/disable_otr_v1.patch libotr-3.2.1/debian/patches/disable_otr_v1.patch
--- libotr-3.2.1/debian/patches/disable_otr_v1.patch	1970-01-01 01:00:00.0 +0100
+++ libotr-3.2.1/debian/patches/disable_otr_v1.patch	2013-12-22 11:34:40.0 +0100
@@ -0,0 +1,39 @@
+Author: Rob Smits rdfsm...@cs.uwaterloo.ca
+Date: Sun Jun 3 22:38:05 2012 -0400
+Subject: Disable OTRv1 protocol.
+Origin: http://sourceforge.net/p/otr/libotr/ci/7ffba65fa42052795523924279bc94e7c80fb0f7/
+Bug: http://bugs.debian.org/725779
+Forwarded: not-needed
+Reviewed-by: intrigeri intrig...@debian.org
+Last-Update: Sun Dec 22 11:30:00 2013 +0100
+Applied-Upstream: 4.0.0
+
+diff --git a/src/proto.h b/src/proto.h
+index d7b0ae6..e96e2f2 100644
+--- a/src/proto.h
 b/src/proto.h
+@@ -45,20 +45,17 @@ typedef unsigned int OtrlPolicy;
+ 
+ #define OTRL_POLICY_VERSION_MASK (OTRL_POLICY_ALLOW_V1 | OTRL_POLICY_ALLOW_V2)
+ 
+-/* For v1 compatibility */
++/* Analogous to v1 policies */
+ #define OTRL_POLICY_NEVER			0x00
+ #define OTRL_POLICY_OPPORTUNISTIC \
+-	( OTRL_POLICY_ALLOW_V1 | \
+-	OTRL_POLICY_ALLOW_V2 | \
++	( OTRL_POLICY_ALLOW_V2 | \
+ 	OTRL_POLICY_SEND_WHITESPACE_TAG | \
+ 	OTRL_POLICY_WHITESPACE_START_AKE | \
+ 	OTRL_POLICY_ERROR_START_AKE )
+ #define OTRL_POLICY_MANUAL \
+-	( OTRL_POLICY_ALLOW_V1 | \
+-	OTRL_POLICY_ALLOW_V2 )
++	( OTRL_POLICY_ALLOW_V2 )
+ #define OTRL_POLICY_ALWAYS \
+-	( OTRL_POLICY_ALLOW_V1 | \
+-	OTRL_POLICY_ALLOW_V2 | \
++	( OTRL_POLICY_ALLOW_V2 | \
+ 	OTRL_POLICY_REQUIRE_ENCRYPTION | \
+ 	OTRL_POLICY_WHITESPACE_START_AKE | \
+ 	OTRL_POLICY_ERROR_START_AKE )
diff -Nru libotr-3.2.1/debian/patches/series libotr-3.2.1/debian/patches/series
--- libotr-3.2.1/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ libotr-3.2.1/debian/patches/series	2013-12-22 11:34:40.0 +0100
@@ -0,0 +1 @@
+disable_otr_v1.patch

Bug#732842: pu: package libotr/3.2.1-1

[Cyril Brulebois]

intrigeri intrig...@debian.org (2013-12-22):
 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: pu
 
 As discussed on #725779 in more details, the OTRv1 protocol has
 serious security issues. Clients supporting it (in addition to more
 recent, safer versions of the protocol) are subject to protocol
 downgrade attacks.
 
 This is why I have proposed to drop support for OTRv1 in libotr in
 Wheezy.

This makes me wonder whether there are some packages only supporting
OTRv1 in wheezy. If there are, I suspect they want to get a serious bug
since they won't work at all anymore. Could then be fixed by trying to
make them support something less broken that OTRv1.

(AFAICT, clients might be hardcoding OTRL_POLICY_ALLOW_V1 instead of
using the OTRL_POLICY_{OPPORTUNISTIC,MANUAL,ALWAYS}?)

 As the discussion on the aforementioned bug indicates, the maintainer
 agrees and the lead upstream developer confirms it is totally fine.
 
 I have therefore backported the relevant bits of the upstream commit
 that does just the same in libotr 4.x (currently in testing/sid). The
 resulting package was successfully tested with pidgin-otr on Wheezy,
 and inter-operates correctly with sid's pidgin-otr and irssi-otr
 1.0.0~alpha2-1~bpo70+1.

I think I like the reasoning and the tests very much.

 FTR, testing/sid has libotr 4.x that is not affected by these issues.

The BTS wants to be taught that.

 May I upload libotr 3.2.1-1+deb7u1 to stable?

Looks fine to me.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#732842: pu: package libotr/3.2.1-1

[intrigeri]

Hi,

Cyril Brulebois wrote (22 Dec 2013 16:51:49 GMT) :
 intrigeri intrig...@debian.org (2013-12-22):
 This is why I have proposed to drop support for OTRv1 in libotr in
 Wheezy.

 This makes me wonder whether there are some packages only supporting
 OTRv1 in wheezy. If there are, I suspect they want to get a serious
 bug since they won't work at all anymore.

I kinda doubt there's any such thing in the archive, as libotr 4.x
clients (that only support OTRv2 and later) have been around for
a while already, so users of clients that only support OTRv1 would
have noticed the breakage already. Maybe even maintainers would have
noticed :)

 FTR, testing/sid has libotr 4.x that is not affected by these issues.

 The BTS wants to be taught that.

Done.

 May I upload libotr 3.2.1-1+deb7u1 to stable?

 Looks fine to me.

Thanks, uploaded.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/8561qgq00a@boum.org