Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 766983 (CVE-2021-3195)

Summary: net-p2p/bitcoind: Information leak via RPC calls (CVE-2021-3195)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: luke-jr+gentoobugs, O01eg, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/bitcoin/bitcoin/issues/20866
Whiteboard: B4 [upstream]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 02:01:14 UTC
Description:
"bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call."
Comment 1 Luke-Jr 2021-01-25 03:24:59 UTC
This isn't an actual security issue. Not sure why someone created a CVE for it.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 03:40:56 UTC
(In reply to Luke-Jr from comment #1)
> This isn't an actual security issue. Not sure why someone created a CVE for
> it.

I am not super familiar with this software but this does seem like a security issue. Imagine if the same user running bitcoind had write access to a directory served by an httpd or nfs or something. You could dump a secret to a public directory.

It's a peculiar enough setup that it might never get exploited by anyone, but that's no reason to not treat it as a security issue.
Comment 3 Luke-Jr 2021-01-25 04:09:50 UTC
If you have RPC access, you are assumed to be the user running bitcoind and have full access to the wallet already.
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:20 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:32:48 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:40:41 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:48:51 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:04:47 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:13:04 UTC
Package list is empty or all packages have requested keywords.