Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 407793 (CVE-2012-1909) - <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactions (CVE-2012-1909)
Summary: <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactio...
Status: RESOLVED FIXED
Alias: CVE-2012-1909
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bitcointalk.org/index.php?top...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: CVE-2012-2459
Blocks:
  Show dependency tree
 
Reported: 2012-03-11 13:43 UTC by Michael Harrison
Modified: 2012-08-11 17:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-03-11 13:43:44 UTC
The bitcoin software was written with the assumption that it is impossible to create a transaction with a hash that is identical to that of a previous transaction. One can create a coinbase transaction that is identical to a previous coinbase, implying it has the same hash. Bitcoin does not check whether that previous hash already exists but simply overwrites it in its transaction index database. When a block that contained such a duplicate is reverted (during a reorganisation), the index entry is deleted entirely. If the original transaction was not yet spent, it has now become unspendable.

Solution:
Upgrade to version 0.5.3_rc3 or later

Upstream Commit:
https://gitorious.org/+bitcoin-stable-developers/bitcoin/bitcoind-stable

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=CAPg%2BsBhmGHnMResVxPDZdfpmWTb9uqD0RrQD7oSXBQq7oHpm8g%40mail.gmail.com&forum_name=bitcoin-development

Luke, one of the maintainers for bitcoind and bitcoin-qt has added that 0.5.3-final should be out around the 12th and he would like to request stabilization for final. I will still be whiteboarding [stable] though and we can bump by Monday if that seems reasonable to all.
Comment 1 Luke-Jr 2012-03-15 17:05:01 UTC
0.4.4 (bitcoind only), 0.5.0.4, and 0.5.3 are released and committed to the main tree. Please stabilize at least one ASAP so the affected 0.5.1 can be removed.
Comment 2 Anthony Basile gentoo-dev 2012-03-15 17:07:05 UTC
The vulnerable ebuilds have been removed from the tree.  The newer ebuilds added incorporate the fix
Comment 3 Anthony Basile gentoo-dev 2012-03-15 17:13:25 UTC
@arch teams, please stabilize the following two ebuilds:

    net-p2p/bitcoind-0.5.3

    net-p2p/bitcoin-qt-0.5.3
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-03-15 18:31:31 UTC
x86:

=net-p2p/bitcoind-0.5.3: ok
=net-p2p/bitcoin-qt-0.5.3: ok
Comment 5 Agostino Sarubbo gentoo-dev 2012-03-16 14:35:10 UTC
amd64 stable
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2012-03-25 10:32:35 UTC
x86 stable. Thanks Mikle
Comment 7 Luke-Jr 2012-05-14 17:34:48 UTC
New vuln: bug 415973
Comment 8 Luke-Jr 2012-06-12 20:15:07 UTC
For historical reference, this is CVE-2012-1909
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-07 00:45:00 UTC
Thanks, everyone. 

GLSA vote: no.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-08-07 00:45:15 UTC
CVE-2012-1909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1909):
  The Bitcoin protocol, as used in bitcoind before 0.4.4, wxBitcoin,
  Bitcoin-Qt, and other programs, does not properly handle multiple
  transactions with the same identifier, which allows remote attackers to
  cause a denial of service (unspendable transaction) by leveraging the
  ability to create a duplicate coinbase transaction.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 17:58:39 UTC
Thanks, folks. GLSA Vote: no, too. Closing noglsa.