Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 83541

Summary: net-misc/hashcash: recipient format string bug
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://article.gmane.org/gmane.mail.spam.hashcash/758
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
hashcash patch none

Description Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 04:46:26 UTC
hashcash-1.16 has a format string bug when printing the header, It could be possible to execute code in certain circumstances, but I havnt proved this.

At the very least it's a DoS by preventing hashcash users from participating in discussions or dirupting logs/exhausting memory by using huge field widths, eg

hashcash -qm -b 8 -r "foo%.5000000x" -X < /dev/null

I reported this to the hashcash mailing list (see URL).

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-01 02:16:08 UTC
Created attachment 52362 [details, diff]
hashcash patch

obviously correct oneliner for format string vulnerability.
Comment 2 Bryan Ƙstergaard (RETIRED) gentoo-dev 2005-03-02 11:41:19 UTC
hashcash-1.16-r1 committed - thanks for the patch :)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 11:50:28 UTC
x86: please test and mark stable
Comment 4 Olivier Crete (RETIRED) gentoo-dev 2005-03-05 21:53:17 UTC
x86 was already there
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 05:17:55 UTC
GLSA 200503-12