Disable insecure OTRv1 protocol

Bug #1266016 reported by Felix Geyer
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libotr (Debian)
Fix Released
Unknown
libotr (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
Saucy
Invalid
Undecided
Unassigned
libotr2 (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned

Bug Description

Up until version 3 libotr supports the insecure OTRv1 protocol which makes it vulnerable to downgrade attacks.
For more information see http://bugs.debian.org/725779

Felix Geyer (debfx)
information type: Public → Public Security
Changed in libotr (Ubuntu):
status: New → Fix Released
Changed in libotr2 (Ubuntu):
status: New → Invalid
Changed in libotr2 (Ubuntu Precise):
status: New → Invalid
Changed in libotr (Ubuntu Raring):
status: New → Invalid
Changed in libotr (Ubuntu Saucy):
status: New → Invalid
Revision history for this message
Felix Geyer (debfx) wrote :

I've requested that libotr2 is removed from trusty so no need to fix it there: bug #1266014

Changed in libotr (Debian):
status: Unknown → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :
Revision history for this message
Felix Geyer (debfx) wrote :
Revision history for this message
Felix Geyer (debfx) wrote :
Revision history for this message
Felix Geyer (debfx) wrote :

I've prepared security updates for this but let me know if you think this is not severe enough and should go though the SRU process.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi debfx, thanks for preparing these patches.

What testing have you performed with bitlbee-plugin-otr, irssi-plugin-otr,
kopete, mcabber, pidgin-otr, python-otr, python-otr-dbg, and xchat-otr
on precise to verify that these older packages are prepared to work
without OTRv1?

Thanks

Revision history for this message
Felix Geyer (debfx) wrote :

I have tested it with pidgin-otr. I doubt that there are clients in the archive that can only deal with OTRv1.
They would have severe interoperability issues anyway since libotr 4 doesn't support OTRv1 (and that is shipped since raring).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libotr2 - 3.2.1-1ubuntu1.13.10.1

---------------
libotr2 (3.2.1-1ubuntu1.13.10.1) saucy-security; urgency=low

  * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade
    attacks (LP: #1266016)
    - Add disable_otr_v1.patch, patch taken from Debian
 -- Felix Geyer <email address hidden> Sat, 04 Jan 2014 16:18:48 +0100

Changed in libotr2 (Ubuntu Saucy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libotr2 - 3.2.1-1ubuntu1.13.04.1

---------------
libotr2 (3.2.1-1ubuntu1.13.04.1) raring-security; urgency=low

  * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade
    attacks (LP: #1266016)
    - Add disable_otr_v1.patch, patch taken from Debian
 -- Felix Geyer <email address hidden> Sat, 04 Jan 2014 16:18:48 +0100

Changed in libotr2 (Ubuntu Raring):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi debfx,

I've pushed the packages for raring and saucy; I've built the packages for precise and I'm going to give a try at testing some of the clients. We'll see if anyone yells about the raring or saucy updates in the meantime, though users on those platforms may not be representative of users on 12.04 LTS.

Thanks again

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Seth, what happened with the 12.04 testing?

Changed in libotr (Ubuntu Precise):
status: New → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Jamie, so far I have done no testing on 12.04 LTS; my intention is to begin testing this on the 27th or 28th.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've tested bitlbee-plugin-otr, irssi-plugin-otr, kopete, mcabber, pidgin-otr, and xchat-otr. Testing python-otr looks like more time than I'm inclined to put into a universe package that won't be in trusty, it really is just a thin shim to the library.

I wasn't able to get a full N*N test, no one protocol supported all the clients, but in the pairings I was able to test, everything functioned as documented.

Thanks Felix!

Revision history for this message
Felix Geyer (debfx) wrote :

Great, thank you for testing all the clients!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libotr - 3.2.0-4ubuntu0.2

---------------
libotr (3.2.0-4ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: disable insecure OTRv1 protocol to prevent downgrade
    attacks (LP: #1266016)
    - Add disable_otr_v1.patch, patch taken from Debian
 -- Felix Geyer <email address hidden> Sat, 04 Jan 2014 13:22:42 +0100

Changed in libotr (Ubuntu Precise):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.