pidgin-otr 'log_message_cb()' Function Format String Vulnerability

Bugtraq ID:	53557
Class:	Input Validation Error
CVE:	CVE-2012-2369
Remote:	Yes
Local:	No
Published:	May 16 2012 12:00AM
Updated:	Apr 13 2015 10:23PM
Credit:	intrigeri
Vulnerable:	SuSE Suse Linux Enterprise Desktop 11 SP2 + Linux kernel 2.6.5 SuSE Suse Linux Enterprise Desktop 11 SP1 + Linux kernel 2.6.5 OTR Development Team pidgin-otr 3.2.0 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64
Not Vulnerable:	OTR Development Team pidgin-otr 3.2.1

pidgin-otr 'log_message_cb()' Function Format String Vulnerability

pidgin-otr is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.

Versions prior to pidgin-otr 3.2.1 are affected.

pidgin-otr 'log_message_cb()' Function Format String Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

pidgin-otr 'log_message_cb()' Function Format String Vulnerability

References:

• Format string security flaw in pidgin-otr (Ian Goldberg)
  
• pidgin-otr Homepage (OTR Development Team)