hashcash-1.16 has a format string bug when printing the header, It could be possible to execute code in certain circumstances, but I havnt proved this.
At the very least it's a DoS by preventing hashcash users from participating in discussions or dirupting logs/exhausting memory by using huge field widths, eg
hashcash -qm -b 8 -r "foo%.5000000x" -X < /dev/null
I reported this to the hashcash mailing list (see URL).
Steps to Reproduce:
Created attachment 52362 [details, diff]
obviously correct oneliner for format string vulnerability.
hashcash-1.16-r1 committed - thanks for the patch :)
x86: please test and mark stable
x86 was already there