Buffer overflow in bech32_decode/cash_decode

[tsusanka]

Impact: Device freeze
Scalability: Remote (Interaction)
Severity: None
Fixed in: Firmware 1.7.1
Reported by: Christian Reitter
Date reported: 2018-09-26

Details

The C reference implementation for bech32 has an unsigned integer overflow that can lead to a buffer overflow. The bug was fixed by preventing the out-of-bounds accesses in the code. Later, gabriel Campana reported the same issue in cash_decode function, which was fixed in the same firmware update.

Fix

trezor/trezor-firmware@5c6b472 and trezor/trezor-firmware@2bbbc3e

Read more

• Official blogpost
• Christian's blog