711198 – (CVE-2019-15947, CVE-2020-14198) <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947, CVE-2020-14198)

Bug 711198 (CVE-2019-15947, CVE-2020-14198) - <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947, CVE-2020-14198)

Summary: <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947...

Status:	RESOLVED FIXED

Alias:	CVE-2019-15947, CVE-2020-14198

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/bitcoin/bitcoin/is...
Whiteboard:	B3 [glsa+ cve]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-03-01 18:10 UTC by Sam James
Modified:	2021-01-22 02:11 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/19022
Package list:	net-p2p/bitcoin-cli-0.20.1 net-p2p/bitcoin-qt-0.20.1 net-p2p/bitcoind-0.20.1 dev-libs/libsecp256k1-0.1_pre20190401
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-01 18:10:22 UTC

Description:
"In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command."

Comment 1 Sam James archtester

2020-03-01 18:14:11 UTC

Per URL, this bug is contentious given that core dumps are not necessarily expected to be safe to share.

Comment 2 Luke-Jr 2020-03-01 18:43:04 UTC

0.18.0[knots] in the tree is NOT affected by this, since it uses madvise to DONTDUMP. Note that due to a bug with the DONTFORK part of that patch, this was dropped in newer versions (not in the tree).

As much as it might be desirable to have, though, I don't agree it's a security bug in bitcoin*, since it's the OS doing the leaking...

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-02 22:59:27 UTC

Let's see if upstream will add some hardening. But yeah, at the moment I also don't understand why a CVE was assigned to this.

Comment 4 Luke-Jr 2020-03-07 20:16:21 UTC

Fix restored for 0.19.1[knots] in https://github.com/gentoo/gentoo/pull/14860

Comment 5 John Helmert III archtester

2020-07-26 06:10:43 UTC

Upstream PR: https://github.com/bitcoin/bitcoin/pull/15600

Merged as 23991ee:

bitcoin $ git tag --contains=23991ee
v0.20.0
v0.20.0rc1
v0.20.0rc2
v0.20.1rc1

Comment 6 Sam James archtester

2020-07-26 15:17:40 UTC

Please tell us when ready to stabilise.

Comment 7 Luke-Jr 2020-07-26 19:09:50 UTC

(In reply to Sam James from comment #6)
> Please tell us when ready to stabilise.

I do not recommend stabilising 0.20. It has a worse security issue (Core, anyway; Knots is not vulnerable).

Will be fixed in v0.20.1, ETA soon.

Comment 8 Sam James archtester

2020-08-11 08:30:26 UTC

(In reply to Luke-Jr from comment #7)
> (In reply to Sam James from comment #6)
> > Please tell us when ready to stabilise.
> 
> I do not recommend stabilising 0.20. It has a worse security issue (Core,
> anyway; Knots is not vulnerable).
> 
> Will be fixed in v0.20.1, ETA soon.

... is there a bug for it?

Comment 9 Sam James archtester

2020-08-11 08:31:21 UTC

(In reply to Sam James from comment #8)
> (In reply to Luke-Jr from comment #7)
> > (In reply to Sam James from comment #6)
> > > Please tell us when ready to stabilise.
> > 
> > I do not recommend stabilising 0.20. It has a worse security issue (Core,
> > anyway; Knots is not vulnerable).
> > 
> > Will be fixed in v0.20.1, ETA soon.
> 
> ... is there a bug for it?

Also, 0.20.1 is out now. Please file security bugs in Gentoo if a package you maintain has a known issue.

Comment 10 Sam James archtester

2020-08-27 20:07:01 UTC

@luke-jr, if ready, add CC-ARCHES? Feel free to message me if not ready etc.

Comment 11 NATTkA bot gentoo-dev

2020-08-27 20:09:09 UTC

Sanity check failed:

> net-p2p/bitcoind-0.20.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> net-p2p/bitcoin-qt-0.20.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]

Comment 12 Sam James archtester

2020-08-29 13:22:42 UTC

amd64 done

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2020-08-30 17:15:20 UTC

x86 stable

Comment 14 Sam James archtester

2020-08-30 17:16:12 UTC

Please cleanup.

Comment 15 NATTkA bot gentoo-dev

2020-08-30 17:18:44 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 16 Sam James archtester

2020-09-17 23:33:21 UTC

* CVE-2020-14198

Description:
"Bitcoin Core 0.20.0 allows remote denial of service."

I assumed 0.20.1 is fixed but maybe not?

Comment 17 Luke-Jr 2020-09-18 00:10:51 UTC

(In reply to Sam James from comment #16)
> * CVE-2020-14198
> 
> Description:
> "Bitcoin Core 0.20.0 allows remote denial of service."
> 
> I assumed 0.20.1 is fixed but maybe not?

Yes, that's the one I mentioned earlier.

Comment 18 Sam James archtester

2020-09-18 00:16:14 UTC

(In reply to Luke-Jr from comment #17)
> (In reply to Sam James from comment #16)
> > * CVE-2020-14198
> > 
> > Description:
> > "Bitcoin Core 0.20.0 allows remote denial of service."
> > 
> > I assumed 0.20.1 is fixed but maybe not?
> 
> Yes, that's the one I mentioned earlier.

Thanks Luke, just wanted to check.

Comment 19 GLSAMaker/CVETool Bot gentoo-dev

2020-09-30 00:22:42 UTC

This issue was resolved and addressed in
 GLSA 202009-18 at https://security.gentoo.org/glsa/202009-18
by GLSA coordinator Sam James (sam_c).

Comment 20 Sam James archtester

2020-09-30 00:22:57 UTC

Please cleanup.

Comment 21 Larry the Git Cow gentoo-dev

2021-01-21 23:23:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d00a0f0f3e4e07b0a959d4c1e6588358ef3b4a1b

commit d00a0f0f3e4e07b0a959d4c1e6588358ef3b4a1b
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2021-01-10 22:03:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-21 23:22:53 +0000

    net-p2p/bitcoind: security cleanup
    
    Bug: https://bugs.gentoo.org/711198
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/bitcoind/Manifest                          |   6 -
 net-p2p/bitcoind/bitcoind-0.16.3.ebuild            | 153 ------------------
 net-p2p/bitcoind/bitcoind-0.19.1.ebuild            | 168 --------------------
 net-p2p/bitcoind/bitcoind-0.20.0.ebuild            | 171 ---------------------
 .../files/bitcoind-0.16.3-missing-include.patch    |  10 --
 5 files changed, 508 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd458a9df388d537f0c5c17f3318bbb84e871b5e

commit bd458a9df388d537f0c5c17f3318bbb84e871b5e
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2021-01-10 22:01:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-21 23:22:51 +0000

    net-p2p/bitcoin-qt: security cleanup
    
    Bug: https://bugs.gentoo.org/711198
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/bitcoin-qt/Manifest                        |   6 -
 net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild        | 174 -------------------
 net-p2p/bitcoin-qt/bitcoin-qt-0.19.1.ebuild        | 188 ---------------------
 net-p2p/bitcoin-qt/bitcoin-qt-0.20.0.ebuild        | 185 --------------------
 ...coin-qt-0.16.3-boost-1.72-missing-include.patch |  24 ---
 net-p2p/bitcoin-qt/metadata.xml                    |   2 -
 6 files changed, 579 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1414e8fd7d9ab6321dbf14d4bac4d02035f7b403

commit 1414e8fd7d9ab6321dbf14d4bac4d02035f7b403
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2021-01-10 21:58:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-21 23:22:50 +0000

    net-p2p/bitcoin-cli: security cleanup
    
    Bug: https://bugs.gentoo.org/711198
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/bitcoin-cli/Manifest                  |   6 --
 net-p2p/bitcoin-cli/bitcoin-cli-0.16.3.ebuild |  97 ------------------------
 net-p2p/bitcoin-cli/bitcoin-cli-0.19.1.ebuild | 101 -------------------------
 net-p2p/bitcoin-cli/bitcoin-cli-0.20.0.ebuild | 102 --------------------------
 4 files changed, 306 deletions(-)

Comment 22 John Helmert III archtester

2021-01-22 02:11:49 UTC

All done!