[OTR-announce] New releases of libotr (4.1.1) and pidgin-otr (4.0.2) available
Ian Goldberg
ian at cypherpunks.ca
Wed Mar 9 13:01:41 EST 2016
Security update: libotr version 4.1.1
Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer
overflow security flaw. This flaw could potentially be exploited by a
remote attacker to cause a heap buffer overflow and subsequently for
arbitrary code to be executed on the user's machine.
CVE-2016-2851 has been assigned to this issue.
Please upgrade to libotr version 4.1.1 immediately.
Users of libotr packages in Linux and *BSD distributions should see
updated packages shortly.
This security release includes the following updates:
- Fix an integer overflow bug that can cause a heap buffer overflow
(and from there remote code execution) on 64-bit platforms
- Fix possible free() of an uninitialized pointer
- Be stricter about parsing v3 fragments
- Add a testsuite ("make check" to run it), but only on Linux for now,
since it uses Linux-specific features such as epoll
- Fix a memory leak when reading a malformed instance tag file
- Protocol documentation clarifications
pidgin-otr version 4.0.2 released
This point release includes the following updates:
- Fix use-after-free issue during SMP
- Updated Spanish, German, Norwegian Bokmål translations
- New Danish translation
- The Windows binary has been linked with updated versions of libotr,
libgcrypt, libgpg-error, and other supporting libraries
Thanks,
- Ian
More information about the OTR-announce
mailing list