OTR: address recent heap overflow vulnerabilities in libotr (CVE-2012-3461)
|Reported by:||fristle||Owned by:||sphynx|
|Milestone:||Adium 1.5.4||Component:||Adium Core|
Versions 3.2.0 and earlier of libotr contain a couple of heap buffer overrun vulnerabilities, as reported in CVE-2012-3461.
As far as I can tell these vulnerabilities are present in Adium 1.5.3, based on looking at the latest source code release, and that it is apparently linked to libotr 3.2.0. For some reason (outdated build scripts?) it appears as version 2.2.0 in the app bundle, even though it is definitely building from 3.2.0 sources.
Steps to reproduce
n/a. Also, no exploit code is publicly available yet, to my knowledge.
I expected Adium to have been rebuilt against the patched version of libotr (version 3.2.1).
I saw that it is still linked against the vulnerable libotr version 3.2.0.
The flaw was patched and released in libotr 3.2.1 on August 14th. This is what I found for the diff: http://old.nabble.com/SECURITY-patch-for-security-libotr-td34289285.html
I built Adium 1.5.3 linking it to the updated libotr 3.2.1 framework (which I built by updating the scripts in the Dependencies directory and then copying the framework over) just to see if it caused any problems. For what it's worth, it seems to work fine.