Your message dated Sun, 20 May 2012 18:36:40 +0000 with message-id <e1swazg-0003tx...@franck.debian.org> and subject line Bug#673154: fixed in pidgin-otr 3.2.0-5+squeeze1 has caused the Debian Bug report #673154, regarding CVE-2012-2369: Format string security vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 673154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673154 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pidgin-otr Version: 3.2.0-5 Severity: serious Tags: security upstream patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for pidgin-otr. CVE-2012-2369[0]: | Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format | string security flaw. This flaw could potentially be exploited by | a remote attacker to cause arbitrary code to be executed on the user's | machine. Upstream's patch: --- a/otr-plugin.c +++ b/otr-plugin.c @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte static void log_message_cb(void *opdata, const char *message) { - purple_debug_info("otr", message); + purple_debug_info("otr", "%s", message); } static int max_message_size_cb(void *opdata, ConnContext *context) If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. I will shortly prepare an update for stable unless you wish to. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369 http://security-tracker.debian.org/tracker/CVE-2012-2369 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: pidgin-otr Source-Version: 3.2.0-5+squeeze1 We believe that the bug you reported is fixed in the latest version of pidgin-otr, which is due to be installed in the Debian FTP archive: pidgin-otr_3.2.0-5+squeeze1.diff.gz to main/p/pidgin-otr/pidgin-otr_3.2.0-5+squeeze1.diff.gz pidgin-otr_3.2.0-5+squeeze1.dsc to main/p/pidgin-otr/pidgin-otr_3.2.0-5+squeeze1.dsc pidgin-otr_3.2.0-5+squeeze1_amd64.deb to main/p/pidgin-otr/pidgin-otr_3.2.0-5+squeeze1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 673...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan Wiltshire <j...@debian.org> (supplier of updated pidgin-otr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 19 May 2012 17:46:00 +0100 Source: pidgin-otr Binary: pidgin-otr Architecture: source amd64 Version: 3.2.0-5+squeeze1 Distribution: stable-security Urgency: high Maintainer: Thibaut VARENE <vare...@debian.org> Changed-By: Jonathan Wiltshire <j...@debian.org> Description: pidgin-otr - Off-the-Record Messaging plugin for pidgin Closes: 673154 Changes: pidgin-otr (3.2.0-5+squeeze1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2012-2369: Fix format vulnerability in log messages (Closes: #673154) Checksums-Sha1: ca9ce1525bba3e1699daab3de0590ca36be736cc 1827 pidgin-otr_3.2.0-5+squeeze1.dsc 5984f66b48a7302f40f22d46e6e74e3a03761d05 435146 pidgin-otr_3.2.0.orig.tar.gz b65990587739aa6a759ec4a6c4f9956e8629dcae 4476 pidgin-otr_3.2.0-5+squeeze1.diff.gz 211e24adf3cf2fbef351384de9619f132227c0a6 81758 pidgin-otr_3.2.0-5+squeeze1_amd64.deb Checksums-Sha256: 73a388f188011d6f85e0971c92ab5653cc937d34f551d1635cc4e1bd717de146 1827 pidgin-otr_3.2.0-5+squeeze1.dsc 0870858b06d90cb522b93a354435f7645a9e28cff2d4bae929a6455d4cd1e6b2 435146 pidgin-otr_3.2.0.orig.tar.gz e964437798f896394051b05bd16ad93505c6ccc3df97662fecf866a0d4278cf1 4476 pidgin-otr_3.2.0-5+squeeze1.diff.gz b9cede62f971944076084aac504b776c6f0590a9ca0c09c4e6f70d6a82f932d6 81758 pidgin-otr_3.2.0-5+squeeze1_amd64.deb Files: 13fd736e771b843591196cd165426dd7 1827 net optional pidgin-otr_3.2.0-5+squeeze1.dsc 8af70b654b7d7c5a5b7785699ff562f9 435146 net optional pidgin-otr_3.2.0.orig.tar.gz 80fc08f41e16bd1587c04f23f99894a1 4476 net optional pidgin-otr_3.2.0-5+squeeze1.diff.gz fbf4bd0603e8f45552ca4b57384fc027 81758 net optional pidgin-otr_3.2.0-5+squeeze1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJPt9rPAAoJEFOUR53TUkxRsBkP/1+f1ADmSI/yKLdhU/ZnYOux NtEYDyD2kbenlpjX/jCeYF8OrqOVobbfyTa5D0CZcNfhq6KJ0pgNtxTIyqzRqLTx c3bAnWvY4CNGlD1O3dsIWolBRyd1+XVwxmvRNwp2PlgR8xXBlKzp1I/oMn5zKM2n DkLqy3FDFhr1r7qIEwbSAU3a7LVxLUhOvJn6NdybpmuzJ0F8C6alcKf7+NNRWycQ IQr9pD0yVj09KUO03DVu3lx4aDMSob6U5JCTAZG3NWOvTqKqo5VbMAjl7pgeMwS6 VmGw2eIcs32J0gXYYpFx9X2onrxxTU2NZ7NWxI5Oorzql5egMGMto+uTRy3Ge9Q3 PcIqsOfUPWmFRw0SBAZ4zaWtqk4CtZdUL0/TqJNEPT8qMtUi4ap+bs/uK/r9HuXJ sqYzbERqQC+6xu0X1hzi2tixpFzQi9zwIkeOuEqPHr17UNsATPWfiSTm0foiUuOT 9Xt/mea5M204mmYzu++Kl+W1MxzpLfBtc/JANVwjUV78pzcNIfo3GTD0gfD46B9Y Z6iKBJMBhOh5cU75UK19TQAl1PjMYJR/NjUFaAbBOoLKbFTLQcysgUFyeUl9rKdp 5h8mM71Ie0AYmtJIK9FhwN7Mxayf+GuHzmL/xwpqn7hlzVB6nh/Qf5nxZgydriDu ZNwSua8fIAx7MaycXhaf =i4c/ -----END PGP SIGNATURE-----
--- End Message ---
