[hashcash] format string bug

• From: Tavis Ormandy <taviso@xxxxxxxxxx>
• To: hashcash@xxxxxxxxxxxxx
• Date: Mon, 28 Feb 2005 11:04:57 +0000

Hello, I've noticed a format string bug in the hashcash program that
could potentially be triggered by setting the From: address to a crazy
value and getting a recipient to hit reply.

I havnt tested if this could be a potential security problem or not, but
it's an easy fix :)

around line 582 of hashcash.c

- fprintf( stdout, header_wrapped );
+ fprintf( stdout, "%s", header_wrapped );

You can check the bug by setting the recipient to a crazy value, like:

hashcash -qm -b 8 -r "foo%.1n%.1n@xxxxxxx" -X < /dev/null

etc.

Best Wishes, Tavis.

-- 
-------------------------------------
taviso@xxxxxxxxxxxxxxxx | finger me for my gpg key.
-------------------------------------------------------

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription