[OTR-users] libotr/pidgin-otr 4.0.0 "beta2" release and win32 build
Jacob Appelbaum
jacob at appelbaum.net
Fri Jun 22 20:00:32 EDT 2012
On 06/21/2012 03:00 PM, Ian Goldberg wrote:
> Thanks for all of your feedback on 4.0.0-beta1! We've built a beta2
> in the usual place:
>
> http://otr.cypherpunks.ca/libotr-4.0.0-beta2.tar.gz
> http://otr.cypherpunks.ca/libotr-4.0.0-beta2.tar.gz.asc
>
> http://otr.cypherpunks.ca/pidgin-otr-4.0.0-beta2.tar.gz
> http://otr.cypherpunks.ca/pidgin-otr-4.0.0-beta2.tar.gz.asc
>
> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-0-beta2.exe
> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-0-beta2.exe.asc
>
> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-beta2.zip
> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-beta2.zip.asc
>
> This is still not for production use, but we'd love more feedback,
> notices of weird behaviours, or crash reports.
I'd like to suggest that you take the gcc/compiler hardening code from
Tor's autoconf - I think you need it on by default and it's rather well
tested now for all of the major platforms:
https://gitweb.torproject.org/tor.git/blob/f96f319b9e9fba5ff52eba2daec2247080f268ee:/configure.in#l557
>
> As before:
>
> Translators: We would appreciate your help with updating the pidgin-otr
> translations. There are a few new strings, mostly regarding the support for
> multiple OTR sessions with the same buddy. Please send us your updated
> .po files as soon as possible, so we can include them in the 4.0.0
> release.
As a minor note of caution, I've noticed that this version of OTR uses
gnu gettext's _() function with a lot of format strings. I'm sure this
is old news but this can be dangerous. If your translators are hostile,
and do not correctly include format strings, you'll have some security
issues.
If possible, I'd suggest a unit test or two to ensure that all .po files
have matching format strings for every translation. msgfmt can do a
check of the type and number of arguments passed around.
A few years ago, I found a strcpy that had a static string being copied
into a static buffer. In theory, it's fine and in practice, the static
string was inside of _() and so, a hostile translator could smash the
stack. Obviously this is a wacky corner case but it's something to consider.
It's not totally unlike this code:
gtk-dialog.c: strcpy(our_hash, _("[none]"));
I think that a 46 byte translation for "[none]" would cause you some
issues. I have some private code that I wrote to demonstrate how one
could exploit/mess around with this stuff, if it's of interest, I'll
share it with you guys.
Additionally, I have some audit notes from the last stable release of
libotr/pidgin-otr on an old disk, I'll try to dig it up and send it
over. Nothing major, obviously.
All the best,
Jake
More information about the OTR-users
mailing list