Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 908084 (CVE-2023-33297) - <net-p2p/bitcoind-25.0: denial of service
Summary: <net-p2p/bitcoind-25.0: denial of service
Status: IN_PROGRESS
Alias: CVE-2023-33297
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 902099
Blocks:
  Show dependency tree
 
Reported: 2023-06-09 04:24 UTC by John Helmert III
Modified: 2023-10-24 11:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-09 04:24:51 UTC 
CVE-2023-33297 (https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-24.1.md

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.

Please bump to 24.1.
Comment 1 Matt Whitlock 2023-09-17 21:45:18 UTC 
Bitcoin Core 25.0 is now in the Bitcoin overlay. After some testing it would be good to get it cherry-picked into the main Gentoo repo.

# eselect repository enable bitcoin
Comment 2 Matt Whitlock 2023-10-22 23:30:19 UTC 
Oops, I forgot to update this bug.

net-p2p/bitcoin-core-25.1 (along with transitional packages) is now in the main Gentoo tree.

Maybe a Gentoo dev ought to drop the older, vulnerable versions.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-23 04:59:29 UTC 
(In reply to Matt Whitlock from comment #2)
> Oops, I forgot to update this bug.
> 
> net-p2p/bitcoin-core-25.1 (along with transitional packages) is now in the
> main Gentoo tree.
> 
> Maybe a Gentoo dev ought to drop the older, vulnerable versions.

Needs some stabilizing first though, I think?
Comment 4 Matt Whitlock 2023-10-23 07:51:28 UTC 
(In reply to John Helmert III from comment #3)
> (In reply to Matt Whitlock from comment #2)
> > Maybe a Gentoo dev ought to drop the older, vulnerable versions.
> 
> Needs some stabilizing first though, I think?

Yes, for sure. I don't really understand Gentoo's stabilization policy, but it seems to me a package usually gets stabilized if all older versions of it have some known vulnerability, which is the case here.
Comment 5 Hans de Graaff gentoo-dev Security 2023-10-23 12:43:43 UTC 
(In reply to Matt Whitlock from comment #4)

> Yes, for sure. I don't really understand Gentoo's stabilization policy, but
> it seems to me a package usually gets stabilized if all older versions of it
> have some known vulnerability, which is the case here.

The policy is to give the maintainer a lot of room to make a decision that benefits the package.

I think in general we like to move packages to stable fairly quickly after a 30 day waiting period, but this can be changed both ways (e.g. wait longer if a new version is still experimental or has other issues, move faster if there are security concerns or a package is broken).