The otrl_base64_otr_decode() function and similar functions within OTR
suffer from buffer overflows in the case of malformed input;
specifically if a message of the format of "?OTR:===." is received
then a zero-byte allocation is performed without a similar correlation
between the subsequent base64 decoding write, as such it becomes
possible to write between zero and three bytes incorrectly to the
heap, albeit only with a value of '='.
Because this code path is highly utilized, specifically in the
reception of instant messages over pidgin or similar, this
vulnerability is considered severe even though in many platforms and
circumstances the bug would yield an unexploitable state and result
simply in denial of service.
The developers of OTR promptly fixed the errors and users of OTR are
advised to upgrade the software at the next release cycle.