<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="201701-10"> <title>libotr, Pidgin OTR: Remote execution of arbitrary code</title> <synopsis>Multiple vulnerabilities have been found in libotr and Pidgin OTR, allowing remote attackers to execute arbitrary code. </synopsis> <product type="ebuild">libotr, pidgin-otr</product> <announced>2017-01-02</announced> <revised count="1">2017-01-02</revised> <bug>576914</bug> <bug>576916</bug> <access>remote</access> <affected> <package name="net-libs/libotr" auto="yes" arch="*"> <unaffected range="ge">4.1.1</unaffected> <vulnerable range="lt">4.1.1</vulnerable> </package> <package name="x11-plugins/pidgin-otr" auto="yes" arch="*"> <unaffected range="ge">4.0.2</unaffected> <vulnerable range="lt">4.0.2</vulnerable> </package> </affected> <background> <p>Pidgin Off-the-Record (OTR) messaging allows you to have private conversations over instant messaging. libotr is a portable off-the-record messaging library. </p> </background> <description> <p>Multiple vulnerabilities exist in both libotr and Pidgin OTR. Please review the CVE identifiers for more information. </p> </description> <impact type="normal"> <p>A remote attacker could send a specially crafted message, possibly resulting in the execution of arbitrary code with the privileges of the process, or cause a Denial of Service condition. </p> </impact> <workaround> <p>There is no known workaround at this time.</p> </workaround> <resolution> <p>All libotr users should upgrade to the latest version:</p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libotr-4.1.1" </code> <p>All Pidgin OTR users should upgrade to the latest version:</p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=x11-plugins/pidgin-otr-4.0.2" </code> </resolution> <references> <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8833">CVE-2015-8833</uri> <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2851">CVE-2016-2851</uri> </references> <metadata tag="requester" timestamp="2017-01-01T11:51:33Z">b-man</metadata> <metadata tag="submitter" timestamp="2017-01-02T14:19:57Z">b-man</metadata> </glsa>