Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
As discussed on #725779 in more details, the OTRv1 protocol has serious security issues. Clients supporting it (in addition to more recent, safer versions of the protocol) are subject to protocol downgrade attacks. This is why I have proposed to drop support for OTRv1 in libotr in Wheezy. As the discussion on the aforementioned bug indicates, the maintainer agrees and the lead upstream developer confirms it is "totally fine". I have therefore backported the relevant bits of the upstream commit that does just the same in libotr 4.x (currently in testing/sid). The resulting package was successfully tested with pidgin-otr on Wheezy, and inter-operates correctly with sid's pidgin-otr and irssi-otr 1.0.0~alpha2-1~bpo70+1. FTR, testing/sid has libotr 4.x that is not affected by these issues. May I upload libotr 3.2.1-1+deb7u1 to stable?
diff -Nru libotr-3.2.1/debian/changelog libotr-3.2.1/debian/changelog --- libotr-3.2.1/debian/changelog 2012-08-07 12:25:12.000000000 +0200 +++ libotr-3.2.1/debian/changelog 2013-12-22 12:06:00.000000000 +0100 @@ -1,3 +1,10 @@ +libotr (3.2.1-1+deb7u1) stable; urgency=medium + + * Non-maintainer upload with maintainer's agreement. + * Disable insecure OTRv1 protocol (Closes: #725779) + + -- intrigeri <intrig...@debian.org> Sun, 22 Dec 2013 11:35:06 +0100 + libotr (3.2.1-1) unstable; urgency=high * Fix potential buffer overflow in base64 routines (Closes: #684121) diff -Nru libotr-3.2.1/debian/patches/disable_otr_v1.patch libotr-3.2.1/debian/patches/disable_otr_v1.patch --- libotr-3.2.1/debian/patches/disable_otr_v1.patch 1970-01-01 01:00:00.000000000 +0100 +++ libotr-3.2.1/debian/patches/disable_otr_v1.patch 2013-12-22 11:34:40.000000000 +0100 @@ -0,0 +1,39 @@ +Author: Rob Smits <rdfsm...@cs.uwaterloo.ca> +Date: Sun Jun 3 22:38:05 2012 -0400 +Subject: Disable OTRv1 protocol. +Origin: http://sourceforge.net/p/otr/libotr/ci/7ffba65fa42052795523924279bc94e7c80fb0f7/ +Bug: http://bugs.debian.org/725779 +Forwarded: not-needed +Reviewed-by: intrigeri <intrig...@debian.org> +Last-Update: Sun Dec 22 11:30:00 2013 +0100 +Applied-Upstream: 4.0.0 + +diff --git a/src/proto.h b/src/proto.h +index d7b0ae6..e96e2f2 100644 +--- a/src/proto.h ++++ b/src/proto.h +@@ -45,20 +45,17 @@ typedef unsigned int OtrlPolicy; + + #define OTRL_POLICY_VERSION_MASK (OTRL_POLICY_ALLOW_V1 | OTRL_POLICY_ALLOW_V2) + +-/* For v1 compatibility */ ++/* Analogous to v1 policies */ + #define OTRL_POLICY_NEVER 0x00 + #define OTRL_POLICY_OPPORTUNISTIC \ +- ( OTRL_POLICY_ALLOW_V1 | \ +- OTRL_POLICY_ALLOW_V2 | \ ++ ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_SEND_WHITESPACE_TAG | \ + OTRL_POLICY_WHITESPACE_START_AKE | \ + OTRL_POLICY_ERROR_START_AKE ) + #define OTRL_POLICY_MANUAL \ +- ( OTRL_POLICY_ALLOW_V1 | \ +- OTRL_POLICY_ALLOW_V2 ) ++ ( OTRL_POLICY_ALLOW_V2 ) + #define OTRL_POLICY_ALWAYS \ +- ( OTRL_POLICY_ALLOW_V1 | \ +- OTRL_POLICY_ALLOW_V2 | \ ++ ( OTRL_POLICY_ALLOW_V2 | \ + OTRL_POLICY_REQUIRE_ENCRYPTION | \ + OTRL_POLICY_WHITESPACE_START_AKE | \ + OTRL_POLICY_ERROR_START_AKE ) diff -Nru libotr-3.2.1/debian/patches/series libotr-3.2.1/debian/patches/series --- libotr-3.2.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libotr-3.2.1/debian/patches/series 2013-12-22 11:34:40.000000000 +0100 @@ -0,0 +1 @@ +disable_otr_v1.patch
