Summary: | <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947, CVE-2020-14198) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, luke-jr+gentoobugs, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/bitcoin/bitcoin/issues/16824 | ||
See Also: | https://github.com/gentoo/gentoo/pull/19022 | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
net-p2p/bitcoin-cli-0.20.1
net-p2p/bitcoin-qt-0.20.1
net-p2p/bitcoind-0.20.1
dev-libs/libsecp256k1-0.1_pre20190401
|
Runtime testing required: | --- |
Description
Sam James
2020-03-01 18:10:22 UTC
Per URL, this bug is contentious given that core dumps are not necessarily expected to be safe to share. 0.18.0[knots] in the tree is NOT affected by this, since it uses madvise to DONTDUMP. Note that due to a bug with the DONTFORK part of that patch, this was dropped in newer versions (not in the tree). As much as it might be desirable to have, though, I don't agree it's a security bug in bitcoin*, since it's the OS doing the leaking... Let's see if upstream will add some hardening. But yeah, at the moment I also don't understand why a CVE was assigned to this. Fix restored for 0.19.1[knots] in https://github.com/gentoo/gentoo/pull/14860 Upstream PR: https://github.com/bitcoin/bitcoin/pull/15600 Merged as 23991ee: bitcoin $ git tag --contains=23991ee v0.20.0 v0.20.0rc1 v0.20.0rc2 v0.20.1rc1 Please tell us when ready to stabilise. (In reply to Sam James from comment #6) > Please tell us when ready to stabilise. I do not recommend stabilising 0.20. It has a worse security issue (Core, anyway; Knots is not vulnerable). Will be fixed in v0.20.1, ETA soon. (In reply to Luke-Jr from comment #7) > (In reply to Sam James from comment #6) > > Please tell us when ready to stabilise. > > I do not recommend stabilising 0.20. It has a worse security issue (Core, > anyway; Knots is not vulnerable). > > Will be fixed in v0.20.1, ETA soon. ... is there a bug for it? (In reply to Sam James from comment #8) > (In reply to Luke-Jr from comment #7) > > (In reply to Sam James from comment #6) > > > Please tell us when ready to stabilise. > > > > I do not recommend stabilising 0.20. It has a worse security issue (Core, > > anyway; Knots is not vulnerable). > > > > Will be fixed in v0.20.1, ETA soon. > > ... is there a bug for it? Also, 0.20.1 is out now. Please file security bugs in Gentoo if a package you maintain has a known issue. @luke-jr, if ready, add CC-ARCHES? Feel free to message me if not ready etc. Sanity check failed:
> net-p2p/bitcoind-0.20.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> net-p2p/bitcoin-qt-0.20.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
amd64 done x86 stable Please cleanup. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. * CVE-2020-14198 Description: "Bitcoin Core 0.20.0 allows remote denial of service." I assumed 0.20.1 is fixed but maybe not? (In reply to Sam James from comment #16) > * CVE-2020-14198 > > Description: > "Bitcoin Core 0.20.0 allows remote denial of service." > > I assumed 0.20.1 is fixed but maybe not? Yes, that's the one I mentioned earlier. (In reply to Luke-Jr from comment #17) > (In reply to Sam James from comment #16) > > * CVE-2020-14198 > > > > Description: > > "Bitcoin Core 0.20.0 allows remote denial of service." > > > > I assumed 0.20.1 is fixed but maybe not? > > Yes, that's the one I mentioned earlier. Thanks Luke, just wanted to check. This issue was resolved and addressed in GLSA 202009-18 at https://security.gentoo.org/glsa/202009-18 by GLSA coordinator Sam James (sam_c). Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d00a0f0f3e4e07b0a959d4c1e6588358ef3b4a1b commit d00a0f0f3e4e07b0a959d4c1e6588358ef3b4a1b Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2021-01-10 22:03:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-21 23:22:53 +0000 net-p2p/bitcoind: security cleanup Bug: https://bugs.gentoo.org/711198 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> net-p2p/bitcoind/Manifest | 6 - net-p2p/bitcoind/bitcoind-0.16.3.ebuild | 153 ------------------ net-p2p/bitcoind/bitcoind-0.19.1.ebuild | 168 -------------------- net-p2p/bitcoind/bitcoind-0.20.0.ebuild | 171 --------------------- .../files/bitcoind-0.16.3-missing-include.patch | 10 -- 5 files changed, 508 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd458a9df388d537f0c5c17f3318bbb84e871b5e commit bd458a9df388d537f0c5c17f3318bbb84e871b5e Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2021-01-10 22:01:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-21 23:22:51 +0000 net-p2p/bitcoin-qt: security cleanup Bug: https://bugs.gentoo.org/711198 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> net-p2p/bitcoin-qt/Manifest | 6 - net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild | 174 ------------------- net-p2p/bitcoin-qt/bitcoin-qt-0.19.1.ebuild | 188 --------------------- net-p2p/bitcoin-qt/bitcoin-qt-0.20.0.ebuild | 185 -------------------- ...coin-qt-0.16.3-boost-1.72-missing-include.patch | 24 --- net-p2p/bitcoin-qt/metadata.xml | 2 - 6 files changed, 579 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1414e8fd7d9ab6321dbf14d4bac4d02035f7b403 commit 1414e8fd7d9ab6321dbf14d4bac4d02035f7b403 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2021-01-10 21:58:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-21 23:22:50 +0000 net-p2p/bitcoin-cli: security cleanup Bug: https://bugs.gentoo.org/711198 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> net-p2p/bitcoin-cli/Manifest | 6 -- net-p2p/bitcoin-cli/bitcoin-cli-0.16.3.ebuild | 97 ------------------------ net-p2p/bitcoin-cli/bitcoin-cli-0.19.1.ebuild | 101 ------------------------- net-p2p/bitcoin-cli/bitcoin-cli-0.20.0.ebuild | 102 -------------------------- 4 files changed, 306 deletions(-) All done! |