Opened 8 years ago

Closed 8 years ago

#16122 closed defect (fixed)

OTR: address recent heap overflow vulnerabilities in libotr (CVE-2012-3461)

Reported by: fristle Owned by: sphynx
Milestone: Adium 1.5.4 Component: Adium Core
Version: Severity: major
Keywords: OTR Cc:
Patch Status:



Versions 3.2.0 and earlier of libotr contain a couple of heap buffer overrun vulnerabilities, as reported in CVE-2012-3461.

As far as I can tell these vulnerabilities are present in Adium 1.5.3, based on looking at the latest source code release, and that it is apparently linked to libotr 3.2.0. For some reason (outdated build scripts?) it appears as version 2.2.0 in the app bundle, even though it is definitely building from 3.2.0 sources.

Steps to reproduce

n/a. Also, no exploit code is publicly available yet, to my knowledge.

Expected results

I expected Adium to have been rebuilt against the patched version of libotr (version 3.2.1).

Actual results

I saw that it is still linked against the vulnerable libotr version 3.2.0.


The flaw was patched and released in libotr 3.2.1 on August 14th. This is what I found for the diff:


I built Adium 1.5.3 linking it to the updated libotr 3.2.1 framework (which I built by updating the scripts in the Dependencies directory and then copying the framework over) just to see if it caused any problems. For what it's worth, it seems to work fine.

Change History (4)

comment:1 Changed 8 years ago by Robert

Milestone: Adium 1.5.4

comment:2 Changed 8 years ago by Thijs Alkemade

Owner: set to Thijs Alkemade
Status: newassigned

comment:3 Changed 8 years ago by Robert

Severity: normalmajor

comment:4 Changed 8 years ago by Thijs Alkemade <thijsalkemade@…>

Resolution: fixed
Status: assignedclosed

(In f2c1839e0ee1) Updated libotr to 3.2.1, fixing a security vulnerability.

This was all built using Homebrew ( It seems before libgcrypt and libgpg-error were linked statically into libotr, these are now separate frameworks.

Fixes #16122

Note: See TracTickets for help on using tickets.