[hashcash] format string bug

  • From: Tavis Ormandy <taviso@xxxxxxxxxx>
  • To: hashcash@xxxxxxxxxxxxx
  • Date: Mon, 28 Feb 2005 11:04:57 +0000

Hello, I've noticed a format string bug in the hashcash program that
could potentially be triggered by setting the From: address to a crazy
value and getting a recipient to hit reply.

I havnt tested if this could be a potential security problem or not, but
it's an easy fix :)

around line 582 of hashcash.c

- fprintf( stdout, header_wrapped );
+ fprintf( stdout, "%s", header_wrapped );

You can check the bug by setting the recipient to a crazy value, like:

hashcash -qm -b 8 -r "foo%.1n%.1n@xxxxxxx" -X < /dev/null

etc.

Best Wishes, Tavis.

-- 
-------------------------------------
taviso@xxxxxxxxxxxxxxxx | finger me for my gpg key.
-------------------------------------------------------

Other related posts:

  • » [hashcash] format string bug