407793 – (CVE-2012-1909) <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactions (CVE-2012-1909)

Bug 407793 (CVE-2012-1909) - <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactions (CVE-2012-1909)

Summary: <net-p2p/{bitcoind,bitcoin-qt}-0.5.3 Allows overwriting of unspent transactio...

Status:	RESOLVED FIXED

Alias:	CVE-2012-1909

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bitcointalk.org/index.php?top...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	CVE-2012-2459
Blocks:
	Show dependency tree

Reported:	2012-03-11 13:43 UTC by Michael Harrison
Modified:	2012-08-11 17:58 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Harrison 2012-03-11 13:43:44 UTC

The bitcoin software was written with the assumption that it is impossible to create a transaction with a hash that is identical to that of a previous transaction. One can create a coinbase transaction that is identical to a previous coinbase, implying it has the same hash. Bitcoin does not check whether that previous hash already exists but simply overwrites it in its transaction index database. When a block that contained such a duplicate is reverted (during a reorganisation), the index entry is deleted entirely. If the original transaction was not yet spent, it has now become unspendable.

Solution:
Upgrade to version 0.5.3_rc3 or later

Upstream Commit:
https://gitorious.org/+bitcoin-stable-developers/bitcoin/bitcoind-stable

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=CAPg%2BsBhmGHnMResVxPDZdfpmWTb9uqD0RrQD7oSXBQq7oHpm8g%40mail.gmail.com&forum_name=bitcoin-development

Luke, one of the maintainers for bitcoind and bitcoin-qt has added that 0.5.3-final should be out around the 12th and he would like to request stabilization for final. I will still be whiteboarding [stable] though and we can bump by Monday if that seems reasonable to all.

Comment 1 Luke-Jr 2012-03-15 17:05:01 UTC

0.4.4 (bitcoind only), 0.5.0.4, and 0.5.3 are released and committed to the main tree. Please stabilize at least one ASAP so the affected 0.5.1 can be removed.

Comment 2 Anthony Basile gentoo-dev

2012-03-15 17:07:05 UTC

The vulnerable ebuilds have been removed from the tree.  The newer ebuilds added incorporate the fix

Comment 3 Anthony Basile gentoo-dev

2012-03-15 17:13:25 UTC

@arch teams, please stabilize the following two ebuilds:

    net-p2p/bitcoind-0.5.3

    net-p2p/bitcoin-qt-0.5.3

Comment 4 Mikle Kolyada (RETIRED) archtester

2012-03-15 18:31:31 UTC

x86:

=net-p2p/bitcoind-0.5.3: ok
=net-p2p/bitcoin-qt-0.5.3: ok

Comment 5 Agostino Sarubbo gentoo-dev

2012-03-16 14:35:10 UTC

amd64 stable

Comment 6 Thomas Kahle (RETIRED) gentoo-dev

2012-03-25 10:32:35 UTC

x86 stable. Thanks Mikle

Comment 7 Luke-Jr 2012-05-14 17:34:48 UTC

New vuln: bug 415973

Comment 8 Luke-Jr 2012-06-12 20:15:07 UTC

For historical reference, this is CVE-2012-1909

Comment 9 Sean Amoss (RETIRED) gentoo-dev

2012-08-07 00:45:00 UTC

Thanks, everyone. 

GLSA vote: no.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2012-08-07 00:45:15 UTC

CVE-2012-1909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1909):
  The Bitcoin protocol, as used in bitcoind before 0.4.4, wxBitcoin,
  Bitcoin-Qt, and other programs, does not properly handle multiple
  transactions with the same identifier, which allows remote attackers to
  cause a denial of service (unspendable transaction) by leveraging the
  ability to create a duplicate coinbase transaction.

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2012-08-11 17:58:39 UTC

Thanks, folks. GLSA Vote: no, too. Closing noglsa.