Severe Remote Memory Corruption Vulnerability in libotr / Off-the-Record Messaging (OTR) Discovered

Off-the-Record (OTR) Messaging is a cryptographic protocol used in well-known instant messaging clients such as Pidgin, ChatSecure, Adium and others. It is designed to work on top of existing protocols and used worldwide to provide secure communication in insecure environments. OTR is regarded as highly secure and according to documents revealed by Edward Snowden one of the protocols that the NSA is not able to decrypt via cryptanalysis. The most commonly used implementation of OTR is "libotr" which is a pure C code implementation of the OTR protocol.

A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages. While processing specially crafted messages, attacker controlled data on the heap is written out of bounds. No special user interaction or authorization is necessary in default configurations.