[Secure-testing-team] Bug#673154: CVE-2012-2369: Format string security vulnerability
Jonathan Wiltshire
jmw at debian.org
Wed May 16 13:56:45 UTC 2012
Package: pidgin-otr
Version: 3.2.0-5
Severity: serious
Tags: security upstream patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pidgin-otr.
CVE-2012-2369[0]:
| Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
| string security flaw. This flaw could potentially be exploited by
| a remote attacker to cause arbitrary code to be executed on the user's
| machine.
Upstream's patch:
--- a/otr-plugin.c
+++ b/otr-plugin.c
@@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte
static void log_message_cb(void *opdata, const char *message)
{
- purple_debug_info("otr", message);
+ purple_debug_info("otr", "%s", message);
}
static int max_message_size_cb(void *opdata, ConnContext *context)
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
I will shortly prepare an update for stable unless you wish to.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
http://security-tracker.debian.org/tracker/CVE-2012-2369
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Secure-testing-team
mailing list