Versions 3.2.0 and earlier of the pidgin-otr plugin contain

a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine. The flaw is in pidgin-otr, not in libotr. Other applications that use libotr are not affected.
svn path=/head/; revision=296796
2025-01-26 09:46:09 +00:00 · 2012-05-16 19:41:27 +00:00 · 2012-05-16 19:41:27 +00:00 · 7285041980 · 2021-03-31 03:12:20 +00:00
commit 7285041980
parent 9b8fb5e74e
4 changed files with 40 additions and 6 deletions
--- a/security/pidgin-otr/Makefile
+++ b/security/pidgin-otr/Makefile
@ -7,10 +7,9 @@
 #

 PORTNAME=	otr
-PORTVERSION=	3.2.0
+PORTVERSION=	3.2.1
 # Please do not bump PORTREVISION for this port unless you have
 # confirmed via testing that it is necessary
-PORTREVISION=	7
 CATEGORIES=	security net
 MASTER_SITES=	http://www.cypherpunks.ca/otr/ \
 		http://dougbarton.us/Downloads/
--- a/security/pidgin-otr/distinfo
+++ b/security/pidgin-otr/distinfo
@ -1,4 +1,4 @@
-SHA256 (pidgin-otr-3.2.0.tar.gz) = 0870858b06d90cb522b93a354435f7645a9e28cff2d4bae929a6455d4cd1e6b2
-SIZE (pidgin-otr-3.2.0.tar.gz) = 435146
-SHA256 (pidgin-otr-3.2.0.tar.gz.asc) = f57ee77b18b563e8d341bcc87376faac36107b797b4c17276835de45602f5867
-SIZE (pidgin-otr-3.2.0.tar.gz.asc) = 191
+SHA256 (pidgin-otr-3.2.1.tar.gz) = ce17e9769e3853076d80645adafaa866e7d7188f988d28a9793afc32c85cb979
+SIZE (pidgin-otr-3.2.1.tar.gz) = 409238
+SHA256 (pidgin-otr-3.2.1.tar.gz.asc) = 628d230599deec294f56e3c03764fb00316b61e8cea7a07a1d5ea1249be1a8b5
+SIZE (pidgin-otr-3.2.1.tar.gz.asc) = 190
--- a/security/pidgin-otr/pkg-plist
+++ b/security/pidgin-otr/pkg-plist
@ -4,8 +4,12 @@ share/locale/ar/LC_MESSAGES/pidgin-otr.mo
 share/locale/de/LC_MESSAGES/pidgin-otr.mo
 share/locale/es/LC_MESSAGES/pidgin-otr.mo
 share/locale/fr/LC_MESSAGES/pidgin-otr.mo
+share/locale/it/LC_MESSAGES/pidgin-otr.mo
 share/locale/hu/LC_MESSAGES/pidgin-otr.mo
 share/locale/nl/LC_MESSAGES/pidgin-otr.mo
+share/locale/pl/LC_MESSAGES/pidgin-otr.mo
 share/locale/ru/LC_MESSAGES/pidgin-otr.mo
 share/locale/sk/LC_MESSAGES/pidgin-otr.mo
+share/locale/sv/LC_MESSAGES/pidgin-otr.mo
+share/locale/vi/LC_MESSAGES/pidgin-otr.mo
@dirrmtry lib/pidgin
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -52,6 +52,37 @@ Note:  Please add new entries to the beginning of this file.

 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="aa71daaa-9f8c-11e1-bd0a-0082a0c18826">
+    <topic>pidgin-otr -- format string vulnerability</topic>
+    <affects>
+      <package>
+	<name>pidgin-otr</name>
+	<range><lt>3.2.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The authors report:</p>
+	<blockquote cite="http://www.cypherpunks.ca/otr/">
+	  <p>Versions 3.2.0 and earlier of the pidgin-otr plugin contain
+	    a format string security flaw. This flaw could potentially be
+	    exploited by a remote attacker to cause arbitrary code to be
+	    executed on the user's machine.</p>
+	  <p>The flaw is in pidgin-otr, not in libotr. Other applications
+	    that use libotr are not affected.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-2369</cvename>
+      <url>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2369</url>
+    </references>
+    <dates>
+      <discovery>2012-05-16</discovery>
+      <entry>2012-05-16</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="b3435b68-9ee8-11e1-997c-002354ed89bc">
    <topic>sudo -- netmask vulnerability</topic>
    <affects>