Bug 822226 (CVE-2012-2369)

Summary: CVE-2012-2369 pidgin-otr: Format string security flaw in pidgin-otr
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: huzaifas, postmodern.mod3, pwouters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120516,reported=20120516,source=vendor-sec,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,fedora-all/pidgin-otr=affected,epel-6/pidgin-otr=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-19 10:02:42 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Kurt Seifried 2012-05-16 13:33:30 EDT
Ian Goldberg iang@cs.uwaterloo.ca reports:

www.openwall.com/lists/oss-security/2012/05/16/2

Off-the-Record Messaging (OTR) Security Advisory 2012-01

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw.  This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's
machine.

The flaw is in pidgin-otr, not in libotr.  Other applications which use
libotr are not affected.

CVE-2012-2369 has been assigned to this issue.

The recommended course of action is to upgrade pidgin-otr to version
3.2.1 immediately.  The new version can be obtained here:

Source code:
    http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz
gpg signature:
    http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz.asc

git repository:
    git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev)

Version 4.0.0 (soon to be released) does not suffer from this flaw.

Linux and *BSD vendors and package maintainers have been notified, and
updated packages should be available from them.
Comment 1 Paul Wouters 2012-06-15 13:53:55 EDT
these are all already in the updates repositories for EL6, F16 and F17