Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 462046 (CVE-2013-2273)

Summary: <net-p2p/bitcoind-0.8.0rc1, net-p2p/bitcoin-qt-0.8.0rc1: multiple vulnerabilities (CVE-2013-{2272,2273,2292,2293})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexander, blueness, flow, jaak, luke-jr+gentoobugs, proxy-maint, ted
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 462598    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-03-17 14:13:10 UTC 
CVE-2013-2273 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2273 :

bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1 make it easier for remote attackers to obtain potentially sensitive information about returned change by leveraging certain predictability in the outputs of a Bitcoin transaction.


CVE-2013-2292 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2292 :

bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to cause a denial of service (electricity consumption) by mining a block to create a nonstandard Bitcoin transaction containing multiple OP_CHECKSIG script opcodes.


CVE-2013-2293 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2293 :

The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before 0.8.0rc1 copies transactions from disk to memory without incrementally checking for spent prevouts, which allows remote attackers to cause a denial of service (disk I/O consumption) via a Bitcoin transaction with many inputs corresponding to many different parts of the stored block chain.
Comment 1 Luke-Jr 2013-03-17 15:39:37 UTC 
CVE-2013-2292 should get another bug, as it is still unresolved.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-03-19 20:26:55 UTC 
CVE-2013-2293 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2293):
  The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before
  0.8.0rc1 copies transactions from disk to memory without incrementally
  checking for spent prevouts, which allows remote attackers to cause a denial
  of service (disk I/O consumption) via a Bitcoin transaction with many inputs
  corresponding to many different parts of the stored block chain.

CVE-2013-2292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2292):
  bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to cause a
  denial of service (electricity consumption) by mining a block to create a
  nonstandard Bitcoin transaction containing multiple OP_CHECKSIG script
  opcodes.

CVE-2013-2273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2273):
  bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before
  0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1
  make it easier for remote attackers to obtain potentially sensitive
  information about returned change by leveraging certain predictability in
  the outputs of a Bitcoin transaction.

CVE-2013-2272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2272):
  The penny-flooding protection mechanism in the CTxMemPool::accept method in
  bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before
  0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1
  allows remote attackers to determine associations between wallet addresses
  and IP addresses via a series of large Bitcoin transactions with
  insufficient fees.
Comment 3 Anthony Basile gentoo-dev 2013-03-19 21:46:19 UTC 
Luke can you identify which ones we should keep on the tree and which ones we should drop?
Comment 4 Anthony Basile gentoo-dev 2013-03-27 23:57:59 UTC 
net-p2p/bitcoind, net-p2p/bitcoin-qt 0.8.1 are now in the tree.
Comment 5 Luke-Jr 2013-03-28 00:44:16 UTC 
(In reply to comment #4)
> net-p2p/bitcoind, net-p2p/bitcoin-qt 0.8.1 are now in the tree.

Note that 0.8.1 did not fix any of the vulnerabilities in this bug...
Comment 6 Anthony Basile gentoo-dev 2013-03-28 00:46:03 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > net-p2p/bitcoind, net-p2p/bitcoin-qt 0.8.1 are now in the tree.
> 
> Note that 0.8.1 did not fix any of the vulnerabilities in this bug...

Thanks wasn't certain, hence comment #3
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-30 00:52:03 UTC 
@maintainers: ping, does 0.8.3 fix these issues?
Comment 8 Luke-Jr 2013-08-30 01:17:19 UTC 
https://en.bitcoin.it/wiki/CVEs
Comment 9 Luke-Jr 2015-02-23 23:04:05 UTC 
This should be closed.
Comment 10 Anthony Basile gentoo-dev 2015-02-23 23:09:20 UTC 
@security team.  go ahead and vote on glsa. we're done.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2016-03-18 07:37:59 UTC 
Vulnerable packages have been gone for over 2 years so no GLSA.