Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768768

Summary: <net-p2p/litecoind-0.18.1: Multiple vulnerabilities (CVE-2018-17144)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
net-p2p/litecoind-0.18.1-r1 *
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 768765    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-05 04:12:05 UTC 
0.16.3 release notes (CVE-2018-17144):
"A denial-of-service vulnerability exploitable by miners has been discovered in
Litecoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of
the vulnerable versions to 0.16.3 as soon as possible."

0.18.1 release notes:
"This release changes the Random Number Generator (RNG) used from OpenSSL to Litecoin Core's own implementation, although entropy gathered by Litecoin Core is fed out to OpenSSL and then read back in when the program needs strong randomness.

 This moves Litecoin Core a little closer to no longer needing to depend on OpenSSL, a dependency that has caused security issues in the past. The new implementation gathers entropy from multiple sources, including from hardware supporting the rdseed CPU instruction."
Comment 1 Larry the Git Cow gentoo-dev 2021-06-18 11:26:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d4a9bbe950fbbdc14cf7b19d86dbbd200b0bed5

commit 2d4a9bbe950fbbdc14cf7b19d86dbbd200b0bed5
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-06-18 10:04:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-18 11:26:30 +0000

    net-p2p/litecoind: add 0.18.1
    
    Closes: https://bugs.gentoo.org/607842
    Bug: https://bugs.gentoo.org/672326
    Bug: https://bugs.gentoo.org/768768
    Bug: https://bugs.gentoo.org/788844
    Signed-off-by: David Seifert <soap@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/21302
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/litecoind/Manifest                         |  1 +
 .../files/litecoind-0.18.1-system-leveldb.patch    | 37 +++++++++
 net-p2p/litecoind/litecoind-0.18.1.ebuild          | 87 ++++++++++++++++++++++
 3 files changed, 125 insertions(+)
Comment 2 NATTkA bot gentoo-dev Security 2021-06-18 14:36:33 UTC 
Unable to check for sanity:

> no match for package: net-p2p/litecoind-0.18.1