Secure testing team - May 2012 - Bug#673154: CVE-2012-2369: Format string security vulnerability

Package: pidgin-otr
Version: 3.2.0-5
Severity: serious
Tags: security upstream patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pidgin-otr.

CVE-2012-2369[0]:
| Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
| string security flaw.  This flaw could potentially be exploited by
| a remote attacker to cause arbitrary code to be executed on the
user''s
| machine.

Upstream''s patch:

--- a/otr-plugin.c
+++ b/otr-plugin.c
@@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte
 
 static void log_message_cb(void *opdata, const char *message)
 {
-    purple_debug_info("otr", message);
+    purple_debug_info("otr", "%s", message);
 }
 
 static int max_message_size_cb(void *opdata, ConnContext *context)

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

I will shortly prepare an update for stable unless you wish to.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369
    http://security-tracker.debian.org/tracker/CVE-2012-2369


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''testing''), (500, ''stable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash