Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 407793 (CVE-2012-1909)

Summary: <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactions (CVE-2012-1909)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness, luke-jr+gentoobugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bitcointalk.org/index.php?topic=67738.0
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 415973    
Bug Blocks:    

Description Michael Harrison 2012-03-11 13:43:44 UTC 
The bitcoin software was written with the assumption that it is impossible to create a transaction with a hash that is identical to that of a previous transaction. One can create a coinbase transaction that is identical to a previous coinbase, implying it has the same hash. Bitcoin does not check whether that previous hash already exists but simply overwrites it in its transaction index database. When a block that contained such a duplicate is reverted (during a reorganisation), the index entry is deleted entirely. If the original transaction was not yet spent, it has now become unspendable.

Solution:
Upgrade to version 0.5.3_rc3 or later

Upstream Commit:
https://gitorious.org/+bitcoin-stable-developers/bitcoin/bitcoind-stable

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=CAPg%2BsBhmGHnMResVxPDZdfpmWTb9uqD0RrQD7oSXBQq7oHpm8g%40mail.gmail.com&forum_name=bitcoin-development

Luke, one of the maintainers for bitcoind and bitcoin-qt has added that 0.5.3-final should be out around the 12th and he would like to request stabilization for final. I will still be whiteboarding [stable] though and we can bump by Monday if that seems reasonable to all.
Comment 1 Luke-Jr 2012-03-15 17:05:01 UTC 
0.4.4 (bitcoind only), 0.5.0.4, and 0.5.3 are released and committed to the main tree. Please stabilize at least one ASAP so the affected 0.5.1 can be removed.
Comment 2 Anthony Basile gentoo-dev 2012-03-15 17:07:05 UTC 
The vulnerable ebuilds have been removed from the tree.  The newer ebuilds added incorporate the fix
Comment 3 Anthony Basile gentoo-dev 2012-03-15 17:13:25 UTC 
@arch teams, please stabilize the following two ebuilds:

    net-p2p/bitcoind-0.5.3

    net-p2p/bitcoin-qt-0.5.3
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-03-15 18:31:31 UTC 
x86:

=net-p2p/bitcoind-0.5.3: ok
=net-p2p/bitcoin-qt-0.5.3: ok
Comment 5 Agostino Sarubbo gentoo-dev 2012-03-16 14:35:10 UTC 
amd64 stable
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2012-03-25 10:32:35 UTC 
x86 stable. Thanks Mikle
Comment 7 Luke-Jr 2012-05-14 17:34:48 UTC 
New vuln: bug 415973
Comment 8 Luke-Jr 2012-06-12 20:15:07 UTC 
For historical reference, this is CVE-2012-1909
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-07 00:45:00 UTC 
Thanks, everyone. 

GLSA vote: no.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 00:45:15 UTC 
CVE-2012-1909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1909):
  The Bitcoin protocol, as used in bitcoind before 0.4.4, wxBitcoin,
  Bitcoin-Qt, and other programs, does not properly handle multiple
  transactions with the same identifier, which allows remote attackers to
  cause a denial of service (unspendable transaction) by leveraging the
  ability to create a duplicate coinbase transaction.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 17:58:39 UTC 
Thanks, folks. GLSA Vote: no, too. Closing noglsa.