Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83541 - net-misc/hashcash: recipient format string bug
Summary: net-misc/hashcash: recipient format string bug
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2005-02-28 04:46 UTC by Tavis Ormandy (RETIRED)
Modified: 2007-05-31 10:53 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

hashcash patch (hashcash-1.16-format-string.diff,382 bytes, patch)
2005-03-01 02:16 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 04:46:26 UTC
hashcash-1.16 has a format string bug when printing the header, It could be possible to execute code in certain circumstances, but I havnt proved this.

At the very least it's a DoS by preventing hashcash users from participating in discussions or dirupting logs/exhausting memory by using huge field widths, eg

hashcash -qm -b 8 -r "foo%.5000000x" -X < /dev/null

I reported this to the hashcash mailing list (see URL).

Reproducible: Always
Steps to Reproduce:
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-01 02:16:08 UTC
Created attachment 52362 [details, diff]
hashcash patch

obviously correct oneliner for format string vulnerability.
Comment 2 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-02 11:41:19 UTC
hashcash-1.16-r1 committed - thanks for the patch :)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 11:50:28 UTC
x86: please test and mark stable
Comment 4 Olivier Crete (RETIRED) gentoo-dev 2005-03-05 21:53:17 UTC
x86 was already there
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 05:17:55 UTC
GLSA 200503-12