Ubuntu

Disable insecure OTRv1 protocol

Reported by Felix Geyer on 2014-01-04
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libotr2 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
libotr (Debian)
Fix Released
Unknown
libotr (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

Up until version 3 libotr supports the insecure OTRv1 protocol which makes it vulnerable to downgrade attacks.
For more information see http://bugs.debian.org/725779

Felix Geyer (debfx) on 2014-01-04
information type: Public → Public Security
Changed in libotr (Ubuntu):
status: New → Fix Released
Changed in libotr2 (Ubuntu):
status: New → Invalid
Changed in libotr2 (Ubuntu Precise):
status: New → Invalid
Changed in libotr (Ubuntu Raring):
status: New → Invalid
Changed in libotr (Ubuntu Saucy):
status: New → Invalid
Felix Geyer (debfx) wrote :

I've requested that libotr2 is removed from trusty so no need to fix it there: bug #1266014

Changed in libotr (Debian):
status: Unknown → Fix Released
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :

I've prepared security updates for this but let me know if you think this is not severe enough and should go though the SRU process.

Seth Arnold (seth-arnold) wrote :

Hi debfx, thanks for preparing these patches.

What testing have you performed with bitlbee-plugin-otr, irssi-plugin-otr,
kopete, mcabber, pidgin-otr, python-otr, python-otr-dbg, and xchat-otr
on precise to verify that these older packages are prepared to work
without OTRv1?

Thanks

Felix Geyer (debfx) wrote :

I have tested it with pidgin-otr. I doubt that there are clients in the archive that can only deal with OTRv1.
They would have severe interoperability issues anyway since libotr 4 doesn't support OTRv1 (and that is shipped since raring).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libotr2 - 3.2.1-1ubuntu1.13.10.1

---------------
libotr2 (3.2.1-1ubuntu1.13.10.1) saucy-security; urgency=low

  * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade
    attacks (LP: #1266016)
    - Add disable_otr_v1.patch, patch taken from Debian
 -- Felix Geyer <email address hidden> Sat, 04 Jan 2014 16:18:48 +0100

Changed in libotr2 (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libotr2 - 3.2.1-1ubuntu1.13.04.1

---------------
libotr2 (3.2.1-1ubuntu1.13.04.1) raring-security; urgency=low

  * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade
    attacks (LP: #1266016)
    - Add disable_otr_v1.patch, patch taken from Debian
 -- Felix Geyer <email address hidden> Sat, 04 Jan 2014 16:18:48 +0100

Changed in libotr2 (Ubuntu Raring):
status: New → Fix Released
Seth Arnold (seth-arnold) wrote :

Hi debfx,

I've pushed the packages for raring and saucy; I've built the packages for precise and I'm going to give a try at testing some of the clients. We'll see if anyone yells about the raring or saucy updates in the meantime, though users on those platforms may not be representative of users on 12.04 LTS.

Thanks again

Jamie Strandboge (jdstrand) wrote :

Seth, what happened with the 12.04 testing?

Changed in libotr (Ubuntu Precise):
status: New → Incomplete
Seth Arnold (seth-arnold) wrote :

Jamie, so far I have done no testing on 12.04 LTS; my intention is to begin testing this on the 27th or 28th.

Thanks

Seth Arnold (seth-arnold) wrote :

I've tested bitlbee-plugin-otr, irssi-plugin-otr, kopete, mcabber, pidgin-otr, and xchat-otr. Testing python-otr looks like more time than I'm inclined to put into a universe package that won't be in trusty, it really is just a thin shim to the library.

I wasn't able to get a full N*N test, no one protocol supported all the clients, but in the pairings I was able to test, everything functioned as documented.

Thanks Felix!

Felix Geyer (debfx) wrote :

Great, thank you for testing all the clients!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libotr - 3.2.0-4ubuntu0.2

---------------
libotr (3.2.0-4ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade
    attacks (LP: #1266016)
    - Add disable_otr_v1.patch, patch taken from Debian
 -- Felix Geyer <email address hidden> Sat, 04 Jan 2014 13:22:42 +0100

Changed in libotr (Ubuntu Precise):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.