CVE-2012-2369: Format string security vulnerability

Status changed to 'Confirmed' because the bug affects multiple users.

I'm attaching a debdiff for precise but lucid - oneiric have the exact same package version.
I have checked (with -Werror=format-security) that there are no other format string issues

pidgin-otr (3.2.0-5ubuntu0.12.04.1) precise; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #1000363)
    - otr-plugin.c: patch from upstream
    - CVE-2012-2369

 -- Felix Geyer <email address hidden> Wed, 16 May 2012 20:59:11 +0200

Maybe that would worth enabling the hardening-wrapper too ? I did a test build and the hardened package works well. Is this something that worth sending to Ubuntu/Debian ?

Ubuntu already builds by default with everything except PIE (and bindnow) from hardening-wrapper. Since it's a shared library (plugin), adding PIE wouldn't change anything.

https://wiki.ubuntu.com/Security/Features#fortify-source
https://wiki.ubuntu.com/ToolChain/CompilerFlags

$ hardening-check /usr/lib/pidgin/pidgin-otr.so
/usr/lib/pidgin/pidgin-otr.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

Having -Werror=format-security would have caught this early but I assume it's not part of the default build options for good reasons (too many packages would break?). Thanks for the clarifications Kees, that indeed reduces the benefit of using hardening-wrapper.

This bug was fixed in the package pidgin-otr - 3.2.1-1

---------------
pidgin-otr (3.2.1-1) unstable; urgency=critical

  * New upstream release
  * Fix for CVE-2012-2369
  * Clean lintian warnings

 -- Thibaut VARENE <email address hidden> Mon, 14 May 2012 21:31:23 +0200

-Werror=format-security is a default flag of dpkg-buildflags but unfortunately not all packages use that yet.
I have filed Debian bug #673184 to fix that in pidgin-otr.

Felix, thanks for the debdiff, it looks good. I adjusted it to target precise-security and also applied it back through lucid, and will publish it shortly. Also to clarify what Kees pointed out, because it was compiled with fortify source (see https://wiki.ubuntu.com/Security/Features#fortify-source), the issue is most likely limited to an information disclosure or denial of service attack.

This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.12.04.1

---------------
pidgin-otr (3.2.0-5ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #1000363)
    - otr-plugin.c: patch from upstream
    - CVE-2012-2369
 -- Felix Geyer <email address hidden> Wed, 16 May 2012 20:59:11 +0200

This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.11.10.1

---------------
pidgin-otr (3.2.0-5ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #1000363)
    - otr-plugin.c: patch from upstream
    - CVE-2012-2369
 -- Felix Geyer <email address hidden> Wed, 16 May 2012 21:16:05 -0700

This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.11.04.1

---------------
pidgin-otr (3.2.0-5ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #1000363)
    - otr-plugin.c: patch from upstream
    - CVE-2012-2369
 -- Felix Geyer <email address hidden> Wed, 16 May 2012 20:59:11 +0200

This bug was fixed in the package pidgin-otr - 3.2.0-5ubuntu0.10.04.1

---------------
pidgin-otr (3.2.0-5ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: format string vulnerability (LP: #1000363)
    - otr-plugin.c: patch from upstream
    - CVE-2012-2369
 -- Felix Geyer <email address hidden> Wed, 16 May 2012 20:59:11 +0200