[OTR-users] libotr/pidgin-otr 4.0.0 "beta2" release and win32 build

Jacob Appelbaum jacob at appelbaum.net
Fri Jun 22 22:50:44 EDT 2012 

On 06/22/2012 07:27 PM, Ian Goldberg wrote:
> On Fri, Jun 22, 2012 at 05:00:32PM -0700, Jacob Appelbaum wrote:
>> On 06/21/2012 03:00 PM, Ian Goldberg wrote:
>>> Thanks for all of your feedback on 4.0.0-beta1!  We've built a beta2
>>> in the usual place:
>>>
>>> http://otr.cypherpunks.ca/libotr-4.0.0-beta2.tar.gz
>>> http://otr.cypherpunks.ca/libotr-4.0.0-beta2.tar.gz.asc
>>>
>>> http://otr.cypherpunks.ca/pidgin-otr-4.0.0-beta2.tar.gz
>>> http://otr.cypherpunks.ca/pidgin-otr-4.0.0-beta2.tar.gz.asc
>>>
>>> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-0-beta2.exe
>>> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-0-beta2.exe.asc
>>>
>>> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-beta2.zip
>>> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.0-beta2.zip.asc
>>>
>>> This is still not for production use, but we'd love more feedback,
>>> notices of weird behaviours, or crash reports.
>>
>> I'd like to suggest that you take the gcc/compiler hardening code from
>> Tor's autoconf - I think you need it on by default and it's rather well
>> tested now for all of the major platforms:
>>
>> https://gitweb.torproject.org/tor.git/blob/f96f319b9e9fba5ff52eba2daec2247080f268ee:/configure.in#l557
> 
> Jake, as you say in your subsequent email, we'd love to see a patch to
> this effect.  Paul, we'd also like your opinion on it before we'd merge
> it.

I'll hack something up - is there a git repo that I can easily clone or
should I base my patches on pidgin-otr-4.0.0-beta2.tar.gz?

> 
>>> As before:
>>>
>>> Translators: We would appreciate your help with updating the pidgin-otr
>>> translations. There are a few new strings, mostly regarding the support for
>>> multiple OTR sessions with the same buddy.  Please send us your updated
>>> .po files as soon as possible, so we can include them in the 4.0.0
>>> release.
>>
>> As a minor note of caution, I've noticed that this version of OTR uses
>> gnu gettext's _() function with a lot of format strings. I'm sure this
>> is old news but this can be dangerous. If your translators are hostile,
>> and do not correctly include format strings, you'll have some security
>> issues.
> 
> Yup, I'm aware, and I've been checking the .po files for this, albeit
> manually.

It seems like gettext is hilariously dangerous at times. I'm glad you're
aware - I sorta expected it would be old news for you...

> 
>> If possible, I'd suggest a unit test or two to ensure that all .po files
>> have matching format strings for every translation. msgfmt can do a
>> check of the type and number of arguments passed around.
> 
> Ah!  I didn't know that about msgfmt!  Fantastic.  I've run it on the
> .po files we have, and indeed it caught a couple of errors.  Thanks so
> much!  We'll definitely make it a standard part of integrating .po files
> from now on.

Great!

Is there a plan to integrate that into the Makefile? I assume you're
using '-c' or perhaps '--check-format' in your checks?

> 
>> A few years ago, I found a strcpy that had a static string being copied
>> into a static buffer. In theory, it's fine and in practice, the static
>> string was inside of _() and so, a hostile translator could smash the
>> stack. Obviously this is a wacky corner case but it's something to consider.
>>
>> It's not totally unlike this code:
>>
>>   gtk-dialog.c:    strcpy(our_hash, _("[none]"));
>>
>>
>> I think that a 46 byte translation for "[none]" would cause you some
>> issues. I have some private code that I wrote to demonstrate how one
>> could exploit/mess around with this stuff, if it's of interest, I'll
>> share it with you guys.
> 
> Good catch.  I'd fixed this in other places, but had missed this one.
> Fixed in git (along with the above .po issues).
> 

Neato.

>> Additionally, I have some audit notes from the last stable release of
>> libotr/pidgin-otr on an old disk, I'll try to dig it up and send it
>> over. Nothing major, obviously.
> 
> Yes, please.  ;-)

Ok - it will take me a bit - I have to fly to another country for that
backup... ;-)

> 
> Thanks for your help!
> 

Sure! Thanks for making OTR! It's great!

All the best,
Jake

More information about the OTR-users mailing list