multiple heap-based buffer overflow flaws were found in the way the Base64 decoder of libotr, an Off-The-Record Messaging library and toolkit, performed decoding of certain messages. A remote attacker could provide a specially-crafted OTR message that once processed in an application linked against libotr would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684121 [2] http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=846377 Relevant upstream patches: [4] http://otr.git.sourceforge.net/git/gitweb.cgi?p=otr/libotr;a=commitdiff;h=b17232f86f8e60d0d22caf9a2400494d3c77da58 [5] http://otr.git.sourceforge.net/git/gitweb.cgi?p=otr/libotr;a=commitdiff;h=6d4ca89cf1d3c9a8aff696c3a846ac5a51f762c1 [6] http://otr.git.sourceforge.net/git/gitweb.cgi?p=otr/libotr;a=commitdiff;h=1902baee5d4b056850274ed0fa8c2409f1187435 Reproducible: Always
Created attachment 320740 [details] libotr-3.2.0-r1.ebuild
Created attachment 320742 [details, diff] libotr-3.2.0-base64-overflow.patch
CVE-2012-3461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3461): The (1) otrl_base64_otr_decode function in src/b64.c; (2) otrl_proto_data_read_flags and (3) otrl_proto_accept_data functions in src/proto.c; and (4) decode function in toolkit/parse.c in libotr before 3.2.1 allocates a zero-length buffer when decoding a base64 string, which allows remote attackers to cause a denial of service (application crash) via a message with the value "?OTR:===.", which triggers a heap-based buffer overflow.
An initial fix is attached to this bug, 3.2.1 (current stable + fix) is available upstream, and 4.0.0 is now in the tree. Anything I can do to help get this moving?
*** Bug 446858 has been marked as a duplicate of this bug. ***
net-im: please bump to 3.2.1 or higher
+ 08 Apr 2013; Sergey Popov <pinkbyte@gentoo.org> +libotr-3.2.1.ebuild: + Version bump, wrt bug #430486 Arches, please test and mark stable =net-libs/libotr-3.2.1 Target keywords: amd64 hppa ppc ppc64 sparc x86
amd64 stable
Stable for HPPA.
ppc stable
ppc64 stable
x86 stable
sparc stable
GLSA request filed.
This issue was resolved and addressed in GLSA 201309-07 at http://security.gentoo.org/glsa/glsa-201309-07.xml by GLSA coordinator Chris Reffett (creffett).