Package: hashcash
Version: 1.17-1
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3251: "Heap-based buffer overflow in the array_push function in
hashcash.c for Hashcash before 1.22 might allow attackers to execute
arbitrary code via crafted entries."
The CVE is incorrect; the bug was fixed in 1.21 according to the
changelog. This bug does not apply to the versions in testing or
unstable, and I am filing this report for the security team. I will
followup to mark the 1.21-1 as fixed.
I have not found a sample exploit, but I have isolated the patch and
attached it. It applies and compiles cleanly. To create the patch
yourself, fetch 1.20 and 1.20 from http://hashcash.org/source/ and run
diff on hashcash.c (note the first change, not included in the attached
patch, is cosmetic).
Thanks,
Alec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEqGvkAud/2YgchcQRAnA6AJ0f+bLovZIMKrlHMKE4dSis6fZlFQCg4HYt
9SKhWhJ7Dt+kYHMjkBPzrtY=
=5JEN
-----END PGP SIGNATURE-----
--- hashcash-1.20/hashcash.c 2005-12-20 16:02:40.000000000 -0500
+++ hashcash-1.21/hashcash.c 2006-03-24 14:50:13.000000000 -0500
@@ -1253,7 +1253,7 @@
int over )
{
if ( array->num >= array->max ) {
- array->elt = realloc( array->elt, array->max * 2 );
+ array->elt = realloc( array->elt, sizeof( ELEMENT) * array->max * 2 );
if ( array->elt == NULL ) { die_msg( "out of memory" ); }
array->max *= 2;
}
