CVE-2012-3461

Name of the Vulnerable Software and Affected Versions libotr versions prior to 3.2.1

Description The issue is related to the allocation of a zero-length buffer when decoding a base64 string, which can lead to a denial of service (application crash) via a message with a specific value. This can be triggered by remote attackers, potentially disrupting the availability of protected information. The otrl base64 otr decode function in src/b64.c, otrl proto data read flags and otrl proto accept data functions in src/proto.c, and the decode function in toolkit/parse.c are affected. Exploitation can be done remotely.

Recommendations For libotr versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected functions until a patch is available. Avoid using the affected functions in the src/b64.c, src/proto.c, and toolkit/parse.c files until the issue is resolved.