Debian Bug report logs - #376444
hashcash: CVE-2006-3251: buffer overflow

version graph

Package: hashcash; Maintainer for hashcash is Hubert Chan <hubert@uhoreg.ca>; Source for hashcash is src:hashcash.

Reported by: Alec Berryman <alec@thened.net>

Date: Mon, 3 Jul 2006 01:33:10 UTC

Severity: serious

Tags: fixed, patch, sarge, security

Found in version hashcash/1.17-1

Fixed in version 1.21-1

Done: Alec Berryman <alec@thened.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Hubert Chan <hubert@uhoreg.ca>:
Bug#376444; Package hashcash. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Hubert Chan <hubert@uhoreg.ca>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hashcash: CVE-2006-3251: buffer overflow
Date: Sun, 02 Jul 2006 20:59:16 -0400
[Message part 1 (text/plain, inline)]
Package: hashcash
Version: 1.17-1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3251: "Heap-based buffer overflow in the array_push function in
hashcash.c for Hashcash before 1.22 might allow attackers to execute
arbitrary code via crafted entries."

The CVE is incorrect; the bug was fixed in 1.21 according to the
changelog.  This bug does not apply to the versions in testing or
unstable, and I am filing this report for the security team.  I will
followup to mark the 1.21-1 as fixed.

I have not found a sample exploit, but I have isolated the patch and
attached it.  It applies and compiles cleanly.  To create the patch
yourself, fetch 1.20 and 1.20 from http://hashcash.org/source/ and run
diff on hashcash.c (note the first change, not included in the attached
patch, is cosmetic).

Thanks,

Alec

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEqGvkAud/2YgchcQRAnA6AJ0f+bLovZIMKrlHMKE4dSis6fZlFQCg4HYt
9SKhWhJ7Dt+kYHMjkBPzrtY=
=5JEN
-----END PGP SIGNATURE-----
[CVE-2006-3251.diff (text/plain, attachment)]

Reply sent to Alec Berryman <alec@thened.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 376444-done@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: 376444-done@bugs.debian.org
Subject: close fixed version
Date: Sun, 02 Jul 2006 21:45:35 -0400
[Message part 1 (text/plain, inline)]
Version: 1.21-1
thanks

This bug was meant for the security team; the current version in
testing/unstable is not affected.
[signature.asc (application/pgp-signature, inline)]

Tags added: sarge Request was from Hubert Chan <hubert@uhoreg.ca> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Hubert Chan <hubert@uhoreg.ca> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 10:28:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 05:31:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.