[OTR-users] libotr/pidgin-otr 4.0.0 "beta2" release and win32 build

Fri Jun 22 22:27:33 EDT 2012

On Fri, Jun 22, 2012 at 05:00:32PM -0700, Jacob Appelbaum wrote:
> On 06/21/2012 03:00 PM, Ian Goldberg wrote:
> > Thanks for all of your feedback on 4.0.0-beta1!  We've built a beta2
> > in the usual place:
> > 
> > http://otr.cypherpunks.ca/libotr-4.0.0-beta2.tar.gz
> > http://otr.cypherpunks.ca/libotr-4.0.0-beta2.tar.gz.asc
> > 
> > http://otr.cypherpunks.ca/pidgin-otr-4.0.0-beta2.tar.gz
> > http://otr.cypherpunks.ca/pidgin-otr-4.0.0-beta2.tar.gz.asc
> > 
> > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-0-beta2.exe
> > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-0-beta2.exe.asc
> > 
> > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-beta2.zip
> > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-beta2.zip.asc
> > 
> > This is still not for production use, but we'd love more feedback,
> > notices of weird behaviours, or crash reports.
> 
> I'd like to suggest that you take the gcc/compiler hardening code from
> Tor's autoconf - I think you need it on by default and it's rather well
> tested now for all of the major platforms:
> 
> https://gitweb.torproject.org/tor.git/blob/f96f319b9e9fba5ff52eba2daec2247080f268ee:/configure.in#l557

Jake, as you say in your subsequent email, we'd love to see a patch to
this effect.  Paul, we'd also like your opinion on it before we'd merge
it.

> > As before:
> > 
> > Translators: We would appreciate your help with updating the pidgin-otr
> > translations. There are a few new strings, mostly regarding the support for
> > multiple OTR sessions with the same buddy.  Please send us your updated
> > .po files as soon as possible, so we can include them in the 4.0.0
> > release.
> 
> As a minor note of caution, I've noticed that this version of OTR uses
> gnu gettext's _() function with a lot of format strings. I'm sure this
> is old news but this can be dangerous. If your translators are hostile,
> and do not correctly include format strings, you'll have some security
> issues.

Yup, I'm aware, and I've been checking the .po files for this, albeit
manually.

> If possible, I'd suggest a unit test or two to ensure that all .po files
> have matching format strings for every translation. msgfmt can do a
> check of the type and number of arguments passed around.

Ah!  I didn't know that about msgfmt!  Fantastic.  I've run it on the
.po files we have, and indeed it caught a couple of errors.  Thanks so
much!  We'll definitely make it a standard part of integrating .po files
from now on.

> A few years ago, I found a strcpy that had a static string being copied
> into a static buffer. In theory, it's fine and in practice, the static
> string was inside of _() and so, a hostile translator could smash the
> stack. Obviously this is a wacky corner case but it's something to consider.
> 
> It's not totally unlike this code:
> 
>   gtk-dialog.c:    strcpy(our_hash, _("[none]"));
> 
> 
> I think that a 46 byte translation for "[none]" would cause you some
> issues. I have some private code that I wrote to demonstrate how one
> could exploit/mess around with this stuff, if it's of interest, I'll
> share it with you guys.

Good catch.  I'd fixed this in other places, but had missed this one.
Fixed in git (along with the above .po issues).

> Additionally, I have some audit notes from the last stable release of
> libotr/pidgin-otr on an old disk, I'll try to dig it up and send it
> over. Nothing major, obviously.

Yes, please.  ;-)

Thanks for your help!

   - Ian