Bug 790293 (CVE-2021-31876)

Summary:	net-p2p/bitcoin*: Improper policy implementation of BIP125 (CVE-2021-31876)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	luke-jr+gentoobugs, O01eg, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-May/018893.html
Whiteboard:	?? [upstream?]
Package list:		Runtime testing required:	---

Description Sam James archtester

2021-05-15 01:21:35 UTC

Description:
"Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction."

Comment 1 Sam James archtester

2021-05-15 01:23:03 UTC

It's not clear to me if this is an actual vulnerability or if it's possible for it to be fixed without great difficulty. Luke?

Comment 2 Luke-Jr 2021-05-15 04:34:44 UTC

It's arguably a bug, but definitely not a security issue in Bitcoin Core.

It may be a real security issue in other software - as I understand it, some Lightning implementations and similar layer-2 software are affected.

Comment 3 John Helmert III archtester

2021-06-23 13:54:55 UTC

If Bitcoin Core is where the vulnerability needs to be fixed (and it's not going to be fixed elsewhere) then it needs to be handled as a vulnerability in Bitcoin Core.

Comment 4 Luke-Jr 2021-06-23 18:16:42 UTC

(In reply to John Helmert III from comment #3)
> If Bitcoin Core is where the vulnerability needs to be fixed

It's not and can't be.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:22:24 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:30:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:38:36 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 17:46:43 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:02:43 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 18:10:58 UTC

Package list is empty or all packages have requested keywords.

Comment 11 Luke-Jr 2021-07-29 20:34:06 UTC

I'm not sure what, if any, packages exist in Gentoo actually affected by this CVE.

Only possibility I can see at a glance is net-misc/electrum, but I am not certain of it.