Debian Bug report logs - #673154
CVE-2012-2369: Format string security vulnerability

version graph

Package: pidgin-otr; Maintainer for pidgin-otr is Debian OTR Team <pkg-otr-team@lists.alioth.debian.org>; Source for pidgin-otr is src:pidgin-otr.

Reported by: Jonathan Wiltshire <jmw@debian.org>

Date: Wed, 16 May 2012 14:00:02 UTC

Severity: serious

Tags: patch, security, upstream

Found in version pidgin-otr/3.2.0-5

Fixed in versions 3.2.1-1, pidgin-otr/3.2.0-5+squeeze1

Done: Jonathan Wiltshire <jmw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Wed, 16 May 2012 14:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thibaut VARENE <varenet@debian.org>. (Wed, 16 May 2012 14:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-2369: Format string security vulnerability
Date: Wed, 16 May 2012 14:56:45 +0100
Package: pidgin-otr
Version: 3.2.0-5
Severity: serious
Tags: security upstream patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pidgin-otr.

CVE-2012-2369[0]:
| Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
| string security flaw.  This flaw could potentially be exploited by
| a remote attacker to cause arbitrary code to be executed on the user's
| machine.

Upstream's patch:

--- a/otr-plugin.c
+++ b/otr-plugin.c
@@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte
 
 static void log_message_cb(void *opdata, const char *message)
 {
-    purple_debug_info("otr", message);
+    purple_debug_info("otr", "%s", message);
 }
 
 static int max_message_size_cb(void *opdata, ConnContext *context)

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

I will shortly prepare an update for stable unless you wish to.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
    http://security-tracker.debian.org/tracker/CVE-2012-2369


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Wed, 16 May 2012 14:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thibaut VARÈNE <varenet@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thibaut VARENE <varenet@debian.org>. (Wed, 16 May 2012 14:18:03 GMT) Full text and rfc822 format available.

Message #10 received at 673154@bugs.debian.org (full text, mbox):

From: Thibaut VARÈNE <varenet@gmail.com>
To: Jonathan Wiltshire <jmw@debian.org>, "673154@bugs.debian.org" <673154@bugs.debian.org>
Subject: Re: Bug#673154: CVE-2012-2369: Format string security vulnerability
Date: Wed, 16 May 2012 07:14:07 -0700
The update is ready I'm about to upload it. Thx

Le 16 mai 2012 à 06:56, Jonathan Wiltshire <jmw@debian.org> a écrit :

> Package: pidgin-otr
> Version: 3.2.0-5
> Severity: serious
> Tags: security upstream patch
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for pidgin-otr.
> 
> CVE-2012-2369[0]:
> | Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
> | string security flaw.  This flaw could potentially be exploited by
> | a remote attacker to cause arbitrary code to be executed on the user's
> | machine.
> 
> Upstream's patch:
> 
> --- a/otr-plugin.c
> +++ b/otr-plugin.c
> @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte
> 
> static void log_message_cb(void *opdata, const char *message)
> {
> -    purple_debug_info("otr", message);
> +    purple_debug_info("otr", "%s", message);
> }
> 
> static int max_message_size_cb(void *opdata, ConnContext *context)
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> I will shortly prepare an update for stable unless you wish to.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
>    http://security-tracker.debian.org/tracker/CVE-2012-2369
> 
> 
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> 




Reply sent to Thibaut VARENE <varenet@debian.org>:
You have taken responsibility. (Thu, 17 May 2012 00:39:03 GMT) Full text and rfc822 format available.

Notification sent to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer. (Thu, 17 May 2012 00:39:03 GMT) Full text and rfc822 format available.

Message #15 received at 673154-done@bugs.debian.org (full text, mbox):

From: Thibaut VARENE <varenet@debian.org>
To: 673154-done@bugs.debian.org
Subject: Re: Bug#673154: CVE-2012-2369: Format string security vulnerability
Date: Wed, 16 May 2012 17:35:11 -0700
Version: 3.2.1-1

CVE fixed in upstream release 3.2.1

On Wed, May 16, 2012 at 7:14 AM, Thibaut VARÈNE <varenet@gmail.com> wrote:
> The update is ready I'm about to upload it. Thx
>
> Le 16 mai 2012 à 06:56, Jonathan Wiltshire <jmw@debian.org> a écrit :
>
>> Package: pidgin-otr
>> Version: 3.2.0-5
>> Severity: serious
>> Tags: security upstream patch
>>
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for pidgin-otr.
>>
>> CVE-2012-2369[0]:
>> | Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
>> | string security flaw.  This flaw could potentially be exploited by
>> | a remote attacker to cause arbitrary code to be executed on the user's
>> | machine.
>>
>> Upstream's patch:
>>
>> --- a/otr-plugin.c
>> +++ b/otr-plugin.c
>> @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte
>>
>> static void log_message_cb(void *opdata, const char *message)
>> {
>> -    purple_debug_info("otr", message);
>> +    purple_debug_info("otr", "%s", message);
>> }
>>
>> static int max_message_size_cb(void *opdata, ConnContext *context)
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
>>
>> I will shortly prepare an update for stable unless you wish to.
>>
>> For further information see:
>>
>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
>>    http://security-tracker.debian.org/tracker/CVE-2012-2369
>>
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>>  APT prefers unstable
>>  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
>> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/bash
>>
>>




Information forwarded to debian-bugs-dist@lists.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Thu, 17 May 2012 12:36:59 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Mayer <segfaulthunter@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thibaut VARENE <varenet@debian.org>. (Thu, 17 May 2012 12:37:07 GMT) Full text and rfc822 format available.

Message #20 received at 673154@bugs.debian.org (full text, mbox):

From: Florian Mayer <segfaulthunter@gmail.com>
To: 673154@bugs.debian.org
Subject: Re: CVE-2012-2369: Format string security vulnerability
Date: Thu, 17 May 2012 14:33:22 +0200
Hello! I've been wondering why this isn't fixed in stable yet and
there's no DSA about it either.




Information forwarded to debian-bugs-dist@lists.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Thu, 17 May 2012 14:27:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thibaut VARÈNE <varenet@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thibaut VARENE <varenet@debian.org>. (Thu, 17 May 2012 14:27:11 GMT) Full text and rfc822 format available.

Message #25 received at 673154@bugs.debian.org (full text, mbox):

From: Thibaut VARÈNE <varenet@gmail.com>
To: Florian Mayer <segfaulthunter@gmail.com>, "673154@bugs.debian.org" <673154@bugs.debian.org>
Subject: Re: Bug#673154: CVE-2012-2369: Format string security vulnerability
Date: Thu, 17 May 2012 07:20:37 -0700
I've no idea how to fix this in stable and I'm currently in vacation with limited Internet access...

Le 17 mai 2012 à 05:33, Florian Mayer <segfaulthunter@gmail.com> a écrit :

> Hello! I've been wondering why this isn't fixed in stable yet and
> there's no DSA about it either.
> 
> 




Information forwarded to debian-bugs-dist@lists.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Thu, 17 May 2012 14:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Mayer <segfaulthunter@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thibaut VARENE <varenet@debian.org>. (Thu, 17 May 2012 14:42:03 GMT) Full text and rfc822 format available.

Message #30 received at 673154@bugs.debian.org (full text, mbox):

From: Florian Mayer <segfaulthunter@gmail.com>
To: Thibaut VARÈNE <varenet@gmail.com>
Cc: "673154@bugs.debian.org" <673154@bugs.debian.org>
Subject: Re: Bug#673154: CVE-2012-2369: Format string security vulnerability
Date: Thu, 17 May 2012 16:39:27 +0200
I can try and apply the fix suggested in the announcement, see if it
compiles and post the diff, if that helps.

On Thu, May 17, 2012 at 4:20 PM, Thibaut VARÈNE <varenet@gmail.com> wrote:
> I've no idea how to fix this in stable and I'm currently in vacation with limited Internet access...
>
> Le 17 mai 2012 à 05:33, Florian Mayer <segfaulthunter@gmail.com> a écrit :
>
>> Hello! I've been wondering why this isn't fixed in stable yet and
>> there's no DSA about it either.
>>
>>




Information forwarded to debian-bugs-dist@lists.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Sat, 19 May 2012 16:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Thibaut VARENE <varenet@debian.org>. (Sat, 19 May 2012 16:57:06 GMT) Full text and rfc822 format available.

Message #35 received at 673154@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: Thibaut VARÈNE <varenet@gmail.com>, 673154@bugs.debian.org
Cc: Florian Mayer <segfaulthunter@gmail.com>
Subject: Re: Bug#673154: CVE-2012-2369: Format string security vulnerability
Date: Sat, 19 May 2012 17:55:12 +0100
[Message part 1 (text/plain, inline)]
On Thu, May 17, 2012 at 07:20:37AM -0700, Thibaut VARÈNE wrote:
> I've no idea how to fix this in stable and I'm currently in vacation with limited Internet access...

I'll take care of it (I wish you'd asked for help sooner).

For your reference:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#673154; Package pidgin-otr. (Sat, 19 May 2012 17:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thibaut VARENE <varenet@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thibaut VARENE <varenet@debian.org>. (Sat, 19 May 2012 17:12:07 GMT) Full text and rfc822 format available.

Message #40 received at 673154@bugs.debian.org (full text, mbox):

From: Thibaut VARENE <varenet@gmail.com>
To: Jonathan Wiltshire <jmw@debian.org>
Cc: 673154@bugs.debian.org
Subject: Re: Bug#673154: CVE-2012-2369: Format string security vulnerability
Date: Sat, 19 May 2012 10:08:26 -0700
On Sat, May 19, 2012 at 9:55 AM, Jonathan Wiltshire <jmw@debian.org> wrote:
> On Thu, May 17, 2012 at 07:20:37AM -0700, Thibaut VARÈNE wrote:
>> I've no idea how to fix this in stable and I'm currently in vacation with limited Internet access...
>
> I'll take care of it (I wish you'd asked for help sooner).

Thanks

> For your reference:
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security

Well, FYI I did pop up on #debian-security on OFTC to ask for help
when upstream advised me of their intent to publicize the
vulnerability, and I waited there for several hours and nobody even
paid attention to me. I've also been told that the initial bug
reporter (intrigueri) did contact d-s about the issue and also never
got any answer, and he couldn't point me to a RT ticket since
apparently it was private until upstream's disclosure, so I couldn't
even sync on that. I'm guessing nobody considered this a high enough
priority to warrant more attention. Which is fine by me, it's not like
everyone is using pidgin-otr anyway. It's not a high-profile package.

T-Bone




Reply sent to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility. (Sun, 20 May 2012 18:39:11 GMT) Full text and rfc822 format available.

Notification sent to Jonathan Wiltshire <jmw@debian.org>:
Bug acknowledged by developer. (Sun, 20 May 2012 18:39:12 GMT) Full text and rfc822 format available.

Message #45 received at 673154-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 673154-close@bugs.debian.org
Subject: Bug#673154: fixed in pidgin-otr 3.2.0-5+squeeze1
Date: Sun, 20 May 2012 18:36:40 +0000
Source: pidgin-otr
Source-Version: 3.2.0-5+squeeze1

We believe that the bug you reported is fixed in the latest version of
pidgin-otr, which is due to be installed in the Debian FTP archive:

pidgin-otr_3.2.0-5+squeeze1.diff.gz
  to main/p/pidgin-otr/pidgin-otr_3.2.0-5+squeeze1.diff.gz
pidgin-otr_3.2.0-5+squeeze1.dsc
  to main/p/pidgin-otr/pidgin-otr_3.2.0-5+squeeze1.dsc
pidgin-otr_3.2.0-5+squeeze1_amd64.deb
  to main/p/pidgin-otr/pidgin-otr_3.2.0-5+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 673154@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated pidgin-otr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 May 2012 17:46:00 +0100
Source: pidgin-otr
Binary: pidgin-otr
Architecture: source amd64
Version: 3.2.0-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Thibaut VARENE <varenet@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 pidgin-otr - Off-the-Record Messaging plugin for pidgin
Closes: 673154
Changes: 
 pidgin-otr (3.2.0-5+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2012-2369: Fix format vulnerability in log messages
     (Closes: #673154)
Checksums-Sha1: 
 ca9ce1525bba3e1699daab3de0590ca36be736cc 1827 pidgin-otr_3.2.0-5+squeeze1.dsc
 5984f66b48a7302f40f22d46e6e74e3a03761d05 435146 pidgin-otr_3.2.0.orig.tar.gz
 b65990587739aa6a759ec4a6c4f9956e8629dcae 4476 pidgin-otr_3.2.0-5+squeeze1.diff.gz
 211e24adf3cf2fbef351384de9619f132227c0a6 81758 pidgin-otr_3.2.0-5+squeeze1_amd64.deb
Checksums-Sha256: 
 73a388f188011d6f85e0971c92ab5653cc937d34f551d1635cc4e1bd717de146 1827 pidgin-otr_3.2.0-5+squeeze1.dsc
 0870858b06d90cb522b93a354435f7645a9e28cff2d4bae929a6455d4cd1e6b2 435146 pidgin-otr_3.2.0.orig.tar.gz
 e964437798f896394051b05bd16ad93505c6ccc3df97662fecf866a0d4278cf1 4476 pidgin-otr_3.2.0-5+squeeze1.diff.gz
 b9cede62f971944076084aac504b776c6f0590a9ca0c09c4e6f70d6a82f932d6 81758 pidgin-otr_3.2.0-5+squeeze1_amd64.deb
Files: 
 13fd736e771b843591196cd165426dd7 1827 net optional pidgin-otr_3.2.0-5+squeeze1.dsc
 8af70b654b7d7c5a5b7785699ff562f9 435146 net optional pidgin-otr_3.2.0.orig.tar.gz
 80fc08f41e16bd1587c04f23f99894a1 4476 net optional pidgin-otr_3.2.0-5+squeeze1.diff.gz
 fbf4bd0603e8f45552ca4b57384fc027 81758 net optional pidgin-otr_3.2.0-5+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJPt9rPAAoJEFOUR53TUkxRsBkP/1+f1ADmSI/yKLdhU/ZnYOux
NtEYDyD2kbenlpjX/jCeYF8OrqOVobbfyTa5D0CZcNfhq6KJ0pgNtxTIyqzRqLTx
c3bAnWvY4CNGlD1O3dsIWolBRyd1+XVwxmvRNwp2PlgR8xXBlKzp1I/oMn5zKM2n
DkLqy3FDFhr1r7qIEwbSAU3a7LVxLUhOvJn6NdybpmuzJ0F8C6alcKf7+NNRWycQ
IQr9pD0yVj09KUO03DVu3lx4aDMSob6U5JCTAZG3NWOvTqKqo5VbMAjl7pgeMwS6
VmGw2eIcs32J0gXYYpFx9X2onrxxTU2NZ7NWxI5Oorzql5egMGMto+uTRy3Ge9Q3
PcIqsOfUPWmFRw0SBAZ4zaWtqk4CtZdUL0/TqJNEPT8qMtUi4ap+bs/uK/r9HuXJ
sqYzbERqQC+6xu0X1hzi2tixpFzQi9zwIkeOuEqPHr17UNsATPWfiSTm0foiUuOT
9Xt/mea5M204mmYzu++Kl+W1MxzpLfBtc/JANVwjUV78pzcNIfo3GTD0gfD46B9Y
Z6iKBJMBhOh5cU75UK19TQAl1PjMYJR/NjUFaAbBOoLKbFTLQcysgUFyeUl9rKdp
5h8mM71Ie0AYmtJIK9FhwN7Mxayf+GuHzmL/xwpqn7hlzVB6nh/Qf5nxZgydriDu
ZNwSua8fIAx7MaycXhaf
=i4c/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:29:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:59:04 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.