Gentoo Bug 83541 - net-misc/hashcash: recipient format string bug

First Last Prev Next No search results available Search page Enter new bug

Bug#:	83541
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
hashcash-1.16-format-string.diff	hashcash patch	patch	Tavis Ormandy (RETIRED)	2005-03-01 02:16 0000	382 bytes	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 83541 depends on:			Show dependency tree
Bug 83541 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-02-28 04:46 0000

hashcash-1.16 has a format string bug when printing the header, It could be
possible to execute code in certain circumstances, but I havnt proved this.

At the very least it's a DoS by preventing hashcash users from participating in
discussions or dirupting logs/exhausting memory by using huge field widths, eg

hashcash -qm -b 8 -r "foo%.5000000x" -X < /dev/null

I reported this to the hashcash mailing list (see URL).

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-03-01 02:16:08 0000 -------

Created an attachment (id=52362) [details]
hashcash patch

obviously correct oneliner for format string vulnerability.

------- Comment #2 From Bryan Østergaard (RETIRED) 2005-03-02 11:41:19 0000 -------

hashcash-1.16-r1 committed - thanks for the patch :)

------- Comment #3 From Thierry Carrez (RETIRED) 2005-03-02 11:50:28 0000 -------

x86: please test and mark stable

------- Comment #4 From Olivier Crete 2005-03-05 21:53:17 0000 -------

x86 was already there

------- Comment #5 From Thierry Carrez (RETIRED) 2005-03-06 05:17:55 0000 -------

GLSA 200503-12

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 83541

net-misc/hashcash: recipient format string bug

Last modified: 2007-05-31 10:53:17 0000