Bug 822226 (CVE-2012-2369)

Summary: CVE-2012-2369 pidgin-otr: Format string security flaw in pidgin-otr
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: huzaifas, postmodern.mod3, pwouters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120516,reported=20120516,source=vendor-sec,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,fedora-all/pidgin-otr=affected,epel-6/pidgin-otr=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-19 10:02:42 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Kurt Seifried 2012-05-16 13:33:30 EDT
Ian Goldberg iang@cs.uwaterloo.ca reports:


Off-the-Record Messaging (OTR) Security Advisory 2012-01

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw.  This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's

The flaw is in pidgin-otr, not in libotr.  Other applications which use
libotr are not affected.

CVE-2012-2369 has been assigned to this issue.

The recommended course of action is to upgrade pidgin-otr to version
3.2.1 immediately.  The new version can be obtained here:

Source code:
gpg signature:

git repository:
    git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev)

Version 4.0.0 (soon to be released) does not suffer from this flaw.

Linux and *BSD vendors and package maintainers have been notified, and
updated packages should be available from them.
Comment 1 Paul Wouters 2012-06-15 13:53:55 EDT
these are all already in the updates repositories for EL6, F16 and F17