[OTR-users] New releases of libotr (4.1.1) and pidgin-otr (4.0.2) available

Ian Goldberg ian at cypherpunks.ca
Wed Mar 9 13:01:41 EST 2016

Security update: libotr version 4.1.1

Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer
overflow security flaw. This flaw could potentially be exploited by a
remote attacker to cause a heap buffer overflow and subsequently for
arbitrary code to be executed on the user's machine.

CVE-2016-2851 has been assigned to this issue.

Please upgrade to libotr version 4.1.1 immediately.

Users of libotr packages in Linux and *BSD distributions should see
updated packages shortly.

This security release includes the following updates:

 - Fix an integer overflow bug that can cause a heap buffer overflow
   (and from there remote code execution) on 64-bit platforms
 - Fix possible free() of an uninitialized pointer
 - Be stricter about parsing v3 fragments
 - Add a testsuite ("make check" to run it), but only on Linux for now,
   since it uses Linux-specific features such as epoll
 - Fix a memory leak when reading a malformed instance tag file
 - Protocol documentation clarifications

pidgin-otr version 4.0.2 released

This point release includes the following updates:

 - Fix use-after-free issue during SMP
 - Updated Spanish, German, Norwegian Bokmål translations
 - New Danish translation
 - The Windows binary has been linked with updated versions of libotr,
   libgcrypt, libgpg-error, and other supporting libraries


   - Ian

More information about the OTR-users mailing list