Debian Bug report logs - #684121
libotr2: Buffer overflows in libotr

version graph

Package: libotr2; Maintainer for libotr2 is Thibaut VARENE <varenet@debian.org>; Source for libotr2 is src:libotr.

Reported by: Göran Weinholt <goran@weinholt.se>

Date: Tue, 7 Aug 2012 07:45:02 UTC

Severity: grave

Tags: security, upstream

Found in version libotr/3.2.0-4

Fixed in versions libotr/3.2.1-1, libotr/3.2.0-2+squeeze1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thibaut VARENE <varenet@debian.org>:
Bug#684121; Package libotr2. (Tue, 07 Aug 2012 07:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Göran Weinholt <goran@weinholt.se>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thibaut VARENE <varenet@debian.org>. (Tue, 07 Aug 2012 07:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Göran Weinholt <goran@weinholt.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libotr2: Buffer overflows in libotr
Date: Tue, 07 Aug 2012 09:42:03 +0200
Package: libotr2
Version: 3.2.0-4
Severity: grave
Tags: security upstream
Justification: user security hole

libotr contains buffer overflows in a few base64 decoding functions:
http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html

Fixes for the bugs are available from git:
http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001348.html



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libotr2 depends on:
ii  libc6        2.13-33
ii  libgcrypt11  1.5.0-3

libotr2 recommends no packages.

Versions of packages libotr2 suggests:
ii  libotr2-bin  3.2.0-4

-- no debconf information



Reply sent to Thibaut VARENE <varenet@debian.org>:
You have taken responsibility. (Tue, 07 Aug 2012 10:51:03 GMT) Full text and rfc822 format available.

Notification sent to Göran Weinholt <goran@weinholt.se>:
Bug acknowledged by developer. (Tue, 07 Aug 2012 10:51:03 GMT) Full text and rfc822 format available.

Message #10 received at 684121-close@bugs.debian.org (full text, mbox):

From: Thibaut VARENE <varenet@debian.org>
To: 684121-close@bugs.debian.org
Subject: Bug#684121: fixed in libotr 3.2.1-1
Date: Tue, 07 Aug 2012 10:47:16 +0000
Source: libotr
Source-Version: 3.2.1-1

We believe that the bug you reported is fixed in the latest version of
libotr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thibaut VARENE <varenet@debian.org> (supplier of updated libotr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 07 Aug 2012 12:24:15 +0200
Source: libotr
Binary: libotr2 libotr2-bin libotr2-dev
Architecture: source ia64
Version: 3.2.1-1
Distribution: unstable
Urgency: high
Maintainer: Thibaut VARENE <varenet@debian.org>
Changed-By: Thibaut VARENE <varenet@debian.org>
Description: 
 libotr2    - Off-the-Record Messaging library
 libotr2-bin - toolkit for Off-the-Record Messaging library
 libotr2-dev - Off-the-Record Messaging library development files
Closes: 684121
Changes: 
 libotr (3.2.1-1) unstable; urgency=high
 .
   * Fix potential buffer overflow in base64 routines (Closes: #684121)
Checksums-Sha1: 
 c973ac16b44360d0d2406134aa66937868ea9535 1212 libotr_3.2.1-1.dsc
 3dda6fe0eab35581a2b3c55ad47a2c32777b0f20 433016 libotr_3.2.1.orig.tar.gz
 b6635544f186771e84479e0d0b63bee134c5543a 4038 libotr_3.2.1-1.debian.tar.gz
 ac42df841302e9c133818b3fe9ee0496443af3ce 92712 libotr2_3.2.1-1_ia64.deb
 f35cb85433dc2ebd187017af79b6b3713096dbb8 67356 libotr2-bin_3.2.1-1_ia64.deb
 ba7aec17bc15782e5ed6142b9a146eb345c8e12c 84252 libotr2-dev_3.2.1-1_ia64.deb
Checksums-Sha256: 
 d7b16a0c0be579bd859a40fe39932af9a96a65093891701f0de0601faacefe53 1212 libotr_3.2.1-1.dsc
 f809617eba43d5349e07c72112ed2ae0c41c6cc85fa76ffa7e59eb90aa391169 433016 libotr_3.2.1.orig.tar.gz
 ea97a648e1a8bffa3b6be47a526f88108d0beb8fae8d2b65637c541285c881f3 4038 libotr_3.2.1-1.debian.tar.gz
 1e766dd731380bc4d2d3fb1511f744c96784277cceecd191abae17777d5c2931 92712 libotr2_3.2.1-1_ia64.deb
 babbf17adf869e27a04117f64425cc06fc3bd7b9e711af5fff104e8810519671 67356 libotr2-bin_3.2.1-1_ia64.deb
 f18a944e05d1c600882aedfd273614c3df52b32ba76095761f64e5bc2f06d6f7 84252 libotr2-dev_3.2.1-1_ia64.deb
Files: 
 8f49c309ee384278852d6ce422ed0796 1212 libs optional libotr_3.2.1-1.dsc
 24e3c94430086b08842701b9cb67b62c 433016 libs optional libotr_3.2.1.orig.tar.gz
 6cdee1859350f11c85f67fe7b2592fd1 4038 libs optional libotr_3.2.1-1.debian.tar.gz
 015f174a3ee56f0a3a1988e5cf51e3fc 92712 libs optional libotr2_3.2.1-1_ia64.deb
 606cd276bd4639516768dfe9d81c40ae 67356 misc optional libotr2-bin_3.2.1-1_ia64.deb
 985150fa4b6e3f95950541f65e90ed04 84252 libdevel optional libotr2-dev_3.2.1-1_ia64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlAg7tsACgkQHjLD2rfS8GOZVQCeL9zjZ2BS24k1ljlDmRLDjR12
mOYAn0070b/+CWafalGplbARXF0Z6rW6
=EbY0
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#684121; Package libotr2. (Tue, 07 Aug 2012 10:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thibaut VARENE <varenet@debian.org>:
Extra info received and forwarded to list. (Tue, 07 Aug 2012 10:54:07 GMT) Full text and rfc822 format available.

Message #15 received at 684121@bugs.debian.org (full text, mbox):

From: Thibaut VARENE <varenet@debian.org>
To: Göran Weinholt <goran@weinholt.se>, 684121@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#684121: libotr2: Buffer overflows in libotr
Date: Tue, 7 Aug 2012 12:49:51 +0200
Hi,

I just uploaded 3.2.1-1 to unstable, it contains the changes listed here:

http://otr.git.sourceforge.net/git/gitweb.cgi?p=otr/libotr;a=log;h=refs/heads/3.2_dev

I'm CC'ing security as I suppose they might want to push this package
to unstable as well.

Note, the only difference between 3.2.0-4 (currently in testing) and
3.2.1-1 (just uploaded to unstable) is the security fix, see the
attached debdiff on the unblock request #684140.

The only difference between 3.2.0-2 in stable and 3.2.0-4 in testing
are packaging cosmetics (shipping .pc, null out dependency_libs in .la
and lintian fixes).

HTH

On Tue, Aug 7, 2012 at 9:42 AM, Göran Weinholt <goran@weinholt.se> wrote:
> Package: libotr2
> Version: 3.2.0-4
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> libotr contains buffer overflows in a few base64 decoding functions:
> http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html
>
> Fixes for the bugs are available from git:
> http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001348.html
>
>
>
> -- System Information:
> Debian Release: wheezy/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
> Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages libotr2 depends on:
> ii  libc6        2.13-33
> ii  libgcrypt11  1.5.0-3
>
> libotr2 recommends no packages.
>
> Versions of packages libotr2 suggests:
> ii  libotr2-bin  3.2.0-4
>
> -- no debconf information

-- 
Thibaut VARENE
http://www.parisc-linux.org/~varenet/



Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Sun, 12 Aug 2012 20:51:06 GMT) Full text and rfc822 format available.

Notification sent to Göran Weinholt <goran@weinholt.se>:
Bug acknowledged by developer. (Sun, 12 Aug 2012 20:51:06 GMT) Full text and rfc822 format available.

Message #20 received at 684121-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 684121-close@bugs.debian.org
Subject: Bug#684121: fixed in libotr 3.2.0-2+squeeze1
Date: Sun, 12 Aug 2012 20:47:05 +0000
Source: libotr
Source-Version: 3.2.0-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
libotr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684121@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libotr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Aug 2012 11:39:08 +0000
Source: libotr
Binary: libotr2 libotr2-bin libotr2-dev
Architecture: source amd64
Version: 3.2.0-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Thibaut VARENE <varenet@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libotr2    - Off-the-Record Messaging library
 libotr2-bin - toolkit for Off-the-Record Messaging library
 libotr2-dev - Off-the-Record Messaging library development files
Closes: 684121
Changes: 
 libotr (3.2.0-2+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix potential buffer overflows in base64 handling
     (CVE-2012-3461; Closes: #684121).
Checksums-Sha1: 
 2347391b05924a5f6a5de23652dab9f70ffb9917 1073 libotr_3.2.0-2+squeeze1.dsc
 e5e10b8ddaf59b0ada6046d156d0431cd2790db9 430299 libotr_3.2.0.orig.tar.gz
 0fd785698ab2f07591ebc0c621d01a31cd926438 4602 libotr_3.2.0-2+squeeze1.diff.gz
 80d42c3aa064b167569ebef68c28b31471831415 77338 libotr2_3.2.0-2+squeeze1_amd64.deb
 1be920771dfe0ca1b8aa335556a9da4c33524cc1 40054 libotr2-bin_3.2.0-2+squeeze1_amd64.deb
 8eb5aad020a8b2e0066d9c8313ddb97de16fbfd2 65766 libotr2-dev_3.2.0-2+squeeze1_amd64.deb
Checksums-Sha256: 
 35dc58aa168a9dbf676b3ecba2f31aaf0b0f96aaa3e81c7a3f8e7db7115af7da 1073 libotr_3.2.0-2+squeeze1.dsc
 d83b9d20e36e2a4a55e5336f15d1d218d627bc0af7af94e3835bdc8b6d8b6693 430299 libotr_3.2.0.orig.tar.gz
 9b05035a671474413954da2732ddbe3402c9e62f906acc8ab910e003b82c41f4 4602 libotr_3.2.0-2+squeeze1.diff.gz
 3465a1f6401040a34ba0bac53eda8174a2f31849565722ea33bb30952709a9e0 77338 libotr2_3.2.0-2+squeeze1_amd64.deb
 89f4165d0d2d57f4f818ea5e70e758a798a1f5718a543dc58179e11a7cf15422 40054 libotr2-bin_3.2.0-2+squeeze1_amd64.deb
 55b3016b637b83d73c4a0ef4d72c6465e8daeddcdaea46c65c765dea83b81c8c 65766 libotr2-dev_3.2.0-2+squeeze1_amd64.deb
Files: 
 297eb0a4a2926d31e231a01d1095e068 1073 libs optional libotr_3.2.0-2+squeeze1.dsc
 faba02e60f64e492838929be2272f839 430299 libs optional libotr_3.2.0.orig.tar.gz
 6c7c95c9a543bd115327bdd686109341 4602 libs optional libotr_3.2.0-2+squeeze1.diff.gz
 6d5474d77008c81d65a1b4e584deb01f 77338 libs optional libotr2_3.2.0-2+squeeze1_amd64.deb
 006f793169ca63cea5f4f147301422bd 40054 misc optional libotr2-bin_3.2.0-2+squeeze1_amd64.deb
 c86d15507a98bf8dd404dae82ed1e07d 65766 libdevel optional libotr2-dev_3.2.0-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlAntBYACgkQHYflSXNkfP/p9QCeKJv0MGr5Bzy/iV+d+I7gNf3R
4VMAn2E6orIYckVJ6j5pSL0JkNiO8vHu
=xN69
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Sep 2012 07:25:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:36:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.