Bug#376444: marked as done (hashcash: CVE-2006-3251: buffer overflow)

Sun, 02 Jul 2006 19:20:41 -0700 

Your message dated Sun, 02 Jul 2006 21:45:35 -0400
with message-id <[EMAIL PROTECTED]>
and subject line close fixed version
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: hashcash
Version: 1.17-1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3251: "Heap-based buffer overflow in the array_push function in
hashcash.c for Hashcash before 1.22 might allow attackers to execute
arbitrary code via crafted entries."

The CVE is incorrect; the bug was fixed in 1.21 according to the
changelog.  This bug does not apply to the versions in testing or
unstable, and I am filing this report for the security team.  I will
followup to mark the 1.21-1 as fixed.

I have not found a sample exploit, but I have isolated the patch and
attached it.  It applies and compiles cleanly.  To create the patch
yourself, fetch 1.20 and 1.20 from http://hashcash.org/source/ and run
diff on hashcash.c (note the first change, not included in the attached
patch, is cosmetic).

Thanks,

Alec

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEqGvkAud/2YgchcQRAnA6AJ0f+bLovZIMKrlHMKE4dSis6fZlFQCg4HYt
9SKhWhJ7Dt+kYHMjkBPzrtY=
=5JEN
-----END PGP SIGNATURE-----

--- hashcash-1.20/hashcash.c    2005-12-20 16:02:40.000000000 -0500
+++ hashcash-1.21/hashcash.c    2006-03-24 14:50:13.000000000 -0500
@@ -1253,7 +1253,7 @@
                 int over ) 
 {
     if ( array->num >= array->max ) {
-       array->elt = realloc( array->elt, array->max * 2 );
+       array->elt = realloc( array->elt, sizeof( ELEMENT) * array->max * 2 );
        if ( array->elt == NULL ) { die_msg( "out of memory" ); }
        array->max *= 2;
     }

--- End Message ---
--- Begin Message --- 
Version: 1.21-1
thanks

This bug was meant for the security team; the current version in
testing/unstable is not affected.

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to