Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 482970 (CVE-2012-4684)

Summary: net-p2p/bitcoind, net-p2p/bitcoin-qt: Multiple vulnerabilities (CVE-2012-4684,CVE-2013-{3219,3220,4627})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness, luke-jr+gentoobugs, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 480096    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2013-08-30 00:43:54 UTC
CVE-2013-4627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4627):
  Unspecified vulnerability in bitcoind and Bitcoin-Qt 0.8.x allows remote
  attackers to cause a denial of service (memory consumption) via a large
  amount of tx message data.

CVE-2013-3220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3220):
  bitcoind and Bitcoin-Qt before 0.4.9rc2, 0.5.x before 0.5.8rc2, 0.6.x before
  0.6.5rc2, and 0.7.x before 0.7.3rc2, and wxBitcoin, do not properly consider
  whether a block's size could require an excessive number of database locks,
  which allows remote attackers to cause a denial of service (split) and
  enable certain double-spending capabilities via a large block that triggers
  incorrect Berkeley DB locking.

CVE-2013-3219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3219):
  bitcoind and Bitcoin-Qt 0.8.x before 0.8.1 do not enforce a certain block
  protocol rule, which allows remote attackers to bypass intended access
  restrictions and conduct double-spending attacks via a large block that
  triggers incorrect Berkeley DB locking in older product versions.

CVE-2012-4684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4684):
  The alert functionality in bitcoind and Bitcoin-Qt before 0.7.0 supports
  different character representations of the same signature data, but relies
  on a hash of this signature, which allows remote attackers to cause a denial
  of service (resource consumption) via a valid modified signature for a
  circulating alert.


Couldn't find existing bugs for any of these CVEs, so filing here.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-30 00:52:50 UTC
I probably could have split that up a bit better. Summary:
CVE-2013-4627: <bitcoind-0.8.1. No action needed except maybe a GLSA.

CVE-2013-3220: 0.4.9rc2 in tree and nothing else in the 0.4 branch in tree. 0.5.8rc2, 0.7.3rc2 likewise. 0.6.5rc2 needs to be stabilized.

CVE-2013-3219: same as 2013-4627.


CVE-2012-4684: Affects 0.6.3. 0.6.5rc2 can be stabilized.

@maintainers: okay to stabilize 0.6.5rc2?
Comment 2 Luke-Jr 2013-08-30 01:18:01 UTC
0.6.5rc2 is too old (it won't work at all); rc4 would, but I don't think I made an ebuild for it yet.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 02:00:58 UTC
Will clean affected versions after the latest goes stable.
Comment 4 Sergey Popov gentoo-dev 2013-09-27 08:53:31 UTC
Closing as noglsa as per comment #1 in bug #484546