Adium

Opened 4 years ago

Closed 4 years ago

#16122 closed defect (fixed)

OTR: address recent heap overflow vulnerabilities in libotr (CVE-2012-3461)

Reported by: fristle Owned by: sphynx
Milestone: Adium 1.5.4 Component: Adium Core
Version: 1.5.3 Severity: major
Keywords: OTR Cc:
Patch Status:

Description

Summary

Versions 3.2.0 and earlier of libotr contain a couple of heap buffer overrun vulnerabilities, as reported in CVE-2012-3461.

As far as I can tell these vulnerabilities are present in Adium 1.5.3, based on looking at the latest source code release, and that it is apparently linked to libotr 3.2.0. For some reason (outdated build scripts?) it appears as version 2.2.0 in the app bundle, even though it is definitely building from 3.2.0 sources.

Steps to reproduce

n/a. Also, no exploit code is publicly available yet, to my knowledge.

Expected results

I expected Adium to have been rebuilt against the patched version of libotr (version 3.2.1).

Actual results

I saw that it is still linked against the vulnerable libotr version 3.2.0.

Regression

The flaw was patched and released in libotr 3.2.1 on August 14th. This is what I found for the diff: http://old.nabble.com/SECURITY-patch-for-security-libotr-td34289285.html

Notes

I built Adium 1.5.3 linking it to the updated libotr 3.2.1 framework (which I built by updating the scripts in the Dependencies directory and then copying the framework over) just to see if it caused any problems. For what it's worth, it seems to work fine.

Change History (4)

comment:1 Changed 4 years ago by Robby

  • Milestone set to Adium 1.5.4

comment:2 Changed 4 years ago by sphynx

  • Owner set to sphynx
  • Status changed from new to assigned

comment:3 Changed 4 years ago by Robby

  • Severity changed from normal to major

comment:4 Changed 4 years ago by Thijs Alkemade <thijsalkemade@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

(In f2c1839e0ee1) Updated libotr to 3.2.1, fixing a security vulnerability.

This was all built using Homebrew (https://github.com/xnyhps/homebrew). It seems before libgcrypt and libgpg-error were linked statically into libotr, these are now separate frameworks.

Fixes #16122

Note: See TracTickets for help on using tickets.