Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 790293 (CVE-2021-31876)

Summary: net-p2p/bitcoin*: Improper policy implementation of BIP125 (CVE-2021-31876)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: luke-jr+gentoobugs, O01eg, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ?? [upstream?]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-15 01:21:35 UTC
"Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-15 01:23:03 UTC
It's not clear to me if this is an actual vulnerability or if it's possible for it to be fixed without great difficulty. Luke?
Comment 2 Luke-Jr 2021-05-15 04:34:44 UTC
It's arguably a bug, but definitely not a security issue in Bitcoin Core.

It may be a real security issue in other software - as I understand it, some Lightning implementations and similar layer-2 software are affected.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-23 13:54:55 UTC
If Bitcoin Core is where the vulnerability needs to be fixed (and it's not going to be fixed elsewhere) then it needs to be handled as a vulnerability in Bitcoin Core.
Comment 4 Luke-Jr 2021-06-23 18:16:42 UTC
(In reply to John Helmert III from comment #3)
> If Bitcoin Core is where the vulnerability needs to be fixed

It's not and can't be.
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:22:24 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:30:39 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:38:36 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:46:43 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:02:43 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:10:58 UTC
Package list is empty or all packages have requested keywords.
Comment 11 Luke-Jr 2021-07-29 20:34:06 UTC
I'm not sure what, if any, packages exist in Gentoo actually affected by this CVE.

Only possibility I can see at a glance is net-misc/electrum, but I am not certain of it.