A integer overflow vulnerability has been identified in libotr versions 4.1.0. A patch has been released, and a new version, 4.1.1, has been release to address the issue. CVE-2016-2851 has been assigned to this issue. https://lists.cypherpunks.ca/pipermail/otr-announce/2016-March/000062.html https://security-tracker.debian.org/tracker/CVE-2016-2851
4.1.1 already in tree. @Maintainer; is it ready for stable?
Arches please test and mark stable =net-libs/libotr-4.1.1 with target KEYWORDS: ~alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x86-macos
amd64 stable
x86 stable
Stable for HPPA PPC64.
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit 5ed342342229bc85319440341dc14d48d373d5e6 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Mar 20 18:20:29 2016 net-libs/libotr: Security cleanup (bug #576914). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
This issue was resolved and addressed in GLSA 201701-10 at https://security.gentoo.org/glsa/201701-10 by GLSA coordinator Thomas Deutschmann (whissi).