Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576914 (CVE-2016-2851)

Summary: <net-libs/libotr-4.1.1: Possible arbitrary code execution through integer overflow vulnerability
Product: Gentoo Security Reporter: Tom Samstag <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.cypherpunks.ca/pipermail/otr-announce/2016-March/000062.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 576916    

Description Tom Samstag 2016-03-09 21:22:18 UTC
A integer overflow vulnerability has been identified in libotr versions 4.1.0. A patch has been released, and a new version, 4.1.1, has been release to address the issue.

CVE-2016-2851 has been assigned to this issue.

https://lists.cypherpunks.ca/pipermail/otr-announce/2016-March/000062.html
https://security-tracker.debian.org/tracker/CVE-2016-2851
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-03-09 21:29:41 UTC
4.1.1 already in tree. 

@Maintainer; is it ready for stable?
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-09 21:51:47 UTC
Arches please test and mark stable =net-libs/libotr-4.1.1 with target KEYWORDS:

~alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x86-macos
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-10 16:14:02 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-10 16:17:15 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-12 09:12:06 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-16 12:08:28 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-19 11:40:30 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-20 17:26:15 UTC
commit 5ed342342229bc85319440341dc14d48d373d5e6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun Mar 20 18:20:29 2016

    net-libs/libotr: Security cleanup (bug #576914).

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-01-02 14:22:39 UTC
This issue was resolved and addressed in
 GLSA 201701-10 at https://security.gentoo.org/glsa/201701-10
by GLSA coordinator Thomas Deutschmann (whissi).