Bugzilla – Bug 969785
VUL-0: CVE-2016-2851: libotr,libotr2: Integer overflow vulnerability
Last modified: 2017-05-11 00:50:35 UTC
Created attachment 667926 [details] 2015-01-intoverflow.patch EMBARGOED via distros CRD: 2016-03-09 18:00 UTC [This advisory is under embargo. I would like to lift the embargo on Wed Mar 9, at 1:00 pm EST = 18h00 UTC. Do speak up quickly if that's not enought time for you. The new versions are live at the URLs below, though not yet linked to from anywhere. The git repository does *not* contain the fix at this time. I am also attaching the patch to prevent it from being email-munged.] Off-the-Record Messaging (OTR) Security Advisory 2016-01 Integer overflow vulnerability in libotr Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer overflow security flaw. This flaw could potentially be exploited by a remote attacker to cause a heap buffer overflow and subsequently for arbitrary code to be executed on the user's machine. In several places in proto.c, the sizes of portions of incoming messages were stored in variables of type int or unsigned int instead of size_t. If a message arrives with very large sizes (for example unsigned int datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn into malloc(0), which on some architectures returns a non-NULL pointer, but UINT_MAX bytes will get written to that pointer. The reporter has requested a CVE for this issue, but it has not yet been assigned. The recommended course of action is to upgrade libotr to version 4.1.1 immediately. The new version can be obtained here: Source code: https://otr.cypherpunks.ca/libotr-4.1.1.tar.gz gpg signature: https://otr.cypherpunks.ca/libotr-4.1.1.tar.gz.asc git repository: git://git.otr.im/libotr.git (tag 4.1.1) A new Windows binary of pidgin-otr (4.0.2) linked to libotr 4.1.1 is available; however, as the Windows version is a 32-bit build, it is not susceptible to the above flaw. Windows users may wish to upgrade in any event in order to take advantages of other fixes in libotr 4.1.1 and pidgin-otr 4.0.2, however (see the respective NEWS files). pidgin-otr 4.0.2 Source code: https://otr.cypherpunks.ca/pidgin-otr-4.0.2.tar.gz gpg signature: https://otr.cypherpunks.ca/pidgin-otr-4.0.2.tar.gz.asc Windows installer: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.2.exe gpg signature: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.2.exe.asc Windows zip file: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.2.zip gpg signature: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.2.zip.asc Linux and *BSD vendors and package maintainers have been notified, and updated packages should be available from them. If upgrading to version 4.1.1 is not possible, please apply the following patch to 4.1.0: (attached)
bugbot adjusting priority
Created attachment 667991 [details] fix a test failure in 4.1.1 patch to fix https://bugs.otr.im/issues/91 in 4.1.1
Is public
This is an autogenerated message for OBS integration: This bug (969785) was mentioned in https://build.opensuse.org/request/show/369351 Factory / libotr
SUSE-SU-2016:0706-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 969785 CVE References: CVE-2016-2851 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libotr-3.2.0-10.5.1 SUSE Linux Enterprise Server 11-SP4 (src): libotr-3.2.0-10.5.1 SUSE Linux Enterprise Desktop 11-SP4 (src): libotr-3.2.0-10.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libotr-3.2.0-10.5.1
SUSE-SU-2016:0707-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 969785 CVE References: CVE-2016-2851 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libotr-4.0.0-9.1 SUSE Linux Enterprise Software Development Kit 12 (src): libotr-4.0.0-9.1 SUSE Linux Enterprise Server 12-SP1 (src): libotr-4.0.0-9.1 SUSE Linux Enterprise Server 12 (src): libotr-4.0.0-9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libotr-4.0.0-9.1 SUSE Linux Enterprise Desktop 12 (src): libotr-4.0.0-9.1
All done
openSUSE-SU-2016:0708-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 969785 CVE References: CVE-2016-2851 Sources used: openSUSE Leap 42.1 (src): libotr-4.1.1-4.1, libotr2-3.2.1-13.1 openSUSE 13.2 (src): libotr-4.0.0-8.3.1, libotr2-3.2.1-7.3.1
openSUSE-SU-2016:0732-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 969785 CVE References: CVE-2016-2851 Sources used: openSUSE 13.1 (src): libotr-4.0.0-5.7.1, libotr2-3.2.1-5.3.1
This is an autogenerated message for OBS integration: This bug (969785) was mentioned in https://build.opensuse.org/request/show/374787 Factory / libotr