Bug 83541

Summary:

net-misc/hashcash: recipient format string bug

Product:

Gentoo Security

Reporter:

Tavis Ormandy (RETIRED) <taviso>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://article.gmane.org/gmane.mail.spam.hashcash/758

Whiteboard:

B2 [glsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
hashcash patch	none

Description Tavis Ormandy (RETIRED) gentoo-dev

2005-02-28 04:46:26 UTC

hashcash-1.16 has a format string bug when printing the header, It could be possible to execute code in certain circumstances, but I havnt proved this.

At the very least it's a DoS by preventing hashcash users from participating in discussions or dirupting logs/exhausting memory by using huge field widths, eg

hashcash -qm -b 8 -r "foo%.5000000x" -X < /dev/null

I reported this to the hashcash mailing list (see URL).

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev

2005-03-01 02:16:08 UTC

Created attachment 52362 [details, diff]
hashcash patch

obviously correct oneliner for format string vulnerability.

Comment 2 Bryan Østergaard (RETIRED) gentoo-dev

2005-03-02 11:41:19 UTC

hashcash-1.16-r1 committed - thanks for the patch :)

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-03-02 11:50:28 UTC

x86: please test and mark stable

Comment 4 Olivier Crete (RETIRED) gentoo-dev

2005-03-05 21:53:17 UTC

x86 was already there

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-03-06 05:17:55 UTC

GLSA 200503-12