Summary: | <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactions (CVE-2012-1909) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Harrison <n0idx80> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, luke-jr+gentoobugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bitcointalk.org/index.php?topic=67738.0 | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 415973 | ||
Bug Blocks: |
Description
Michael Harrison
2012-03-11 13:43:44 UTC
0.4.4 (bitcoind only), 0.5.0.4, and 0.5.3 are released and committed to the main tree. Please stabilize at least one ASAP so the affected 0.5.1 can be removed. The vulnerable ebuilds have been removed from the tree. The newer ebuilds added incorporate the fix @arch teams, please stabilize the following two ebuilds: net-p2p/bitcoind-0.5.3 net-p2p/bitcoin-qt-0.5.3 x86: =net-p2p/bitcoind-0.5.3: ok =net-p2p/bitcoin-qt-0.5.3: ok amd64 stable x86 stable. Thanks Mikle New vuln: bug 415973 For historical reference, this is CVE-2012-1909 Thanks, everyone. GLSA vote: no. CVE-2012-1909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1909): The Bitcoin protocol, as used in bitcoind before 0.4.4, wxBitcoin, Bitcoin-Qt, and other programs, does not properly handle multiple transactions with the same identifier, which allows remote attackers to cause a denial of service (unspendable transaction) by leveraging the ability to create a duplicate coinbase transaction. Thanks, folks. GLSA Vote: no, too. Closing noglsa. |