cocoaforge

Posted: **Mon Jun 04, 2012 3:26 pm**

Hi there,
I would like to know if the following vulnerability is patched in the last versions of Adium:
http://lists.cypherpunks.ca/pipermail/o ... 00026.html

"
Off-the-Record Messaging (OTR) Security Advisory 2012-01

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw. This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's
machine.

The flaw is in pidgin-otr, not in libotr. Other applications which use
libotr are not affected.

CVE-2012-2369 has been assigned to this issue.
"

I couldnt find any information about it.
Best

Posted: **Mon Jun 04, 2012 3:48 pm**

The flaw is in pidgin-otr, not in libotr. Other applications that use libotr are not affected.

http://www.cypherpunks.ca/otr/

Posted: **Fri Jun 08, 2012 1:09 am**

I'm asking because i didnt know. I think adium is based on pidgin. So are you sure?
Thanks

Posted: **Fri Jun 08, 2012 7:47 am**

Both Adium and Pidgin are based on libpurple.

Adium uses the libotr library for its OTR support and no further plugin is required whereas Pidgin doesn't come with OTR support out of the box. This particular security issue was with the plugin for Pidgin.

Posted: **Wed Jun 13, 2012 9:00 pm**

Thanks really clear!
Best

cocoaforge

CVE-2012-236 - Format string security flaw in pidgin-otr

CVE-2012-236 - Format string security flaw in pidgin-otr

Re: CVE-2012-236 - Format string security flaw in pidgin-otr

Re: CVE-2012-236 - Format string security flaw in pidgin-otr

Re: CVE-2012-236 - Format string security flaw in pidgin-otr

Re: CVE-2012-236 - Format string security flaw in pidgin-otr