Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576914 (CVE-2016-2851) - <net-libs/libotr-4.1.1: Possible arbitrary code execution through integer overflow vulnerability
Summary: <net-libs/libotr-4.1.1: Possible arbitrary code execution through integer ove...
Status: RESOLVED FIXED
Alias: CVE-2016-2851
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.cypherpunks.ca/pipermai...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-8833
  Show dependency tree
 
Reported: 2016-03-09 21:22 UTC by Tom Samstag
Modified: 2017-01-02 14:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Samstag 2016-03-09 21:22:18 UTC
A integer overflow vulnerability has been identified in libotr versions 4.1.0. A patch has been released, and a new version, 4.1.1, has been release to address the issue.

CVE-2016-2851 has been assigned to this issue.

https://lists.cypherpunks.ca/pipermail/otr-announce/2016-March/000062.html
https://security-tracker.debian.org/tracker/CVE-2016-2851
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2016-03-09 21:29:41 UTC
4.1.1 already in tree. 

@Maintainer; is it ready for stable?
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-09 21:51:47 UTC
Arches please test and mark stable =net-libs/libotr-4.1.1 with target KEYWORDS:

~alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x86-macos
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-10 16:14:02 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-10 16:17:15 UTC
x86 stable
Comment 5 Jeroen Roovers gentoo-dev 2016-03-12 09:12:06 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-16 12:08:28 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-19 11:40:30 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-20 17:26:15 UTC
commit 5ed342342229bc85319440341dc14d48d373d5e6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun Mar 20 18:20:29 2016

    net-libs/libotr: Security cleanup (bug #576914).

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-01-02 14:22:39 UTC
This issue was resolved and addressed in
 GLSA 201701-10 at https://security.gentoo.org/glsa/201701-10
by GLSA coordinator Thomas Deutschmann (whissi).