Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918582 (CVE-2023-37192) - net-p2p/bitcoin-core: memory manipulation leading to transaction redirection
Summary: net-p2p/bitcoin-core: memory manipulation leading to transaction redirection
Status: RESOLVED INVALID
Alias: CVE-2023-37192
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://satoshihunter1.blogspot.com/2...
Whiteboard: B3 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-25 23:16 UTC by John Helmert III
Modified: 2023-11-26 03:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 23:16:02 UTC 
CVE-2023-37192:
https://www.youtube.com/watch?v=oEl4M1oZim0

Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.

No references to an upstream report, so this smells off to me.
Comment 1 Matt Whitlock 2023-11-26 02:03:00 UTC 
1. The very first sentence of the overview mentions Windows, and the "attack" demo code uses Windows APIs.

2. This is stupid, as it amounts to "Anyone with privileges to open a handle to the Bitcoin process and manipulate process memory can overwrite bitcoin addresses in the Bitcoin process's memory." Pretty much a "no shit, Sherlock."
Comment 2 Matt Whitlock 2023-11-26 02:15:24 UTC 
(I meant to offense the reporter. It's also possible that I am missing some crucial detail in the "exploit," as I only briefly glanced over it, having been predisposed to dismiss it by the "this smells off to me.")
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-26 03:18:31 UTC 
No objection from me.
Comment 4 Matt Whitlock 2023-11-26 03:42:13 UTC 
Doh! I actually meant to say, "I meant no offense to the reporter." Yikes. Sorry about that.

Thank you, John.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-26 03:48:43 UTC 
Hah, I understood what you meant :)