Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 416263 (CVE-2012-2369) - <x11-plugins/pidgin-otr-3.2.1: format string vulnerability (CVE-2012-2369)
Summary: <x11-plugins/pidgin-otr-3.2.1: format string vulnerability (CVE-2012-2369)
Status: RESOLVED FIXED
Alias: CVE-2012-2369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://lists.cypherpunks.ca/pipermail...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-16 12:40 UTC by Michael Palimaka (kensington)
Modified: 2012-07-09 22:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2012-05-16 12:40:51 UTC 
From $URL:

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw.  This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's
machine.

The flaw is in pidgin-otr, not in libotr.  Other applications which use
libotr are not affected.

CVE-2012-2369 has been assigned to this issue.

The recommended course of action is to upgrade pidgin-otr to version
3.2.1 immediately.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-05-17 11:44:58 UTC 
+*pidgin-otr-3.2.1 (17 May 2012)
+
+  17 May 2012; Lars Wendler <polynomial-c@gentoo.org> +pidgin-otr-3.2.1.ebuild:
+  non-maintainer commit: Security bump (bug #416263).
+
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-17 12:51:34 UTC 
Thanks, Lars.

Arches, please test and mark stable:
=x11-plugins/pidgin-otr-3.2.1
Target keywords : "amd64 ppc sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-05-19 14:02:54 UTC 
amd64 stable
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-22 01:43:15 UTC 
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-06-08 18:04:52 UTC 
ppc done
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2012-06-09 19:09:59 UTC 
sparc keywords dropped
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 15:39:29 UTC 
Thanks, folks. GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 22:39:06 UTC 
This issue was resolved and addressed in
 GLSA 201207-05 at http://security.gentoo.org/glsa/glsa-201207-05.xml
by GLSA coordinator Sean Amoss (ackle).