Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 666669 - <net-p2p/bitcoin{-qt,d}-0.16.3: (CVE-2018-17144)
Summary: <net-p2p/bitcoin{-qt,d}-0.16.3: (CVE-2018-17144)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/gentoo/gentoo/pull...
Whiteboard: B3 [noglsa cve]
Keywords:
: 666665 (view as bug list)
Depends on:
Blocks: CVE-2018-17144
  Show dependency tree
 
Reported: 2018-09-21 01:46 UTC by Luke-Jr
Modified: 2021-02-05 04:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke-Jr 2018-09-21 01:46:30 UTC
The full severity of CVE-2018-17144 has been prematurely leaked/disclosed (see https://bitcoincore.org/en/2018/09/20/notice/ for details), so it's kind of urgent to get this merged ASAP.

PR at https://github.com/gentoo/gentoo/pull/9907
Comment 1 Andreas Sturmlechner gentoo-dev 2018-09-21 07:10:52 UTC
*** Bug 666665 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2018-09-21 12:40:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35caca435f172d52f62b9a9119a7234770f662f9

commit 35caca435f172d52f62b9a9119a7234770f662f9
Author:     Luke Dashjr <luke-jr+git@utopios.org>
AuthorDate: 2018-09-18 15:57:26 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-21 12:38:01 +0000

    dev-util/bitcoin-tx: Bump to 0.16.3
    
    Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Bug: https://bugs.gentoo.org/666669

 dev-util/bitcoin-tx/Manifest                 |  2 +
 dev-util/bitcoin-tx/bitcoin-tx-0.16.3.ebuild | 98 ++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f826abec95faa662523e1ce797ee2b9256d9c562

commit f826abec95faa662523e1ce797ee2b9256d9c562
Author:     Luke Dashjr <luke-jr+git@utopios.org>
AuthorDate: 2018-09-18 15:55:14 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-21 12:37:57 +0000

    net-libs/libbitcoinconsensus: Bump to 0.16.3
    
    Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Bug: https://bugs.gentoo.org/666669

 net-libs/libbitcoinconsensus/Manifest              |  2 +
 .../libbitcoinconsensus-0.16.3.ebuild              | 95 ++++++++++++++++++++++
 2 files changed, 97 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bb81035351ee4da03befedbce1c41765ad09a11

commit 2bb81035351ee4da03befedbce1c41765ad09a11
Author:     Luke Dashjr <luke-jr+git@utopios.org>
AuthorDate: 2018-09-18 15:53:51 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-21 12:37:57 +0000

    net-p2p/bitcoin-cli: Bump to 0.16.3
    
    Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Bug: https://bugs.gentoo.org/666669

 net-p2p/bitcoin-cli/Manifest                  |  2 +
 net-p2p/bitcoin-cli/bitcoin-cli-0.16.3.ebuild | 97 +++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2d3e52654733b3f973d8ea7b3f0ea41bf00dec8

commit d2d3e52654733b3f973d8ea7b3f0ea41bf00dec8
Author:     Luke Dashjr <luke-jr+git@utopios.org>
AuthorDate: 2018-09-18 15:50:53 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-21 12:37:57 +0000

    net-p2p/bitcoind: Bump to 0.16.3
    
    Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Bug: https://bugs.gentoo.org/666669

 net-p2p/bitcoind/Manifest               |   2 +
 net-p2p/bitcoind/bitcoind-0.16.3.ebuild | 163 ++++++++++++++++++++++++++++++++
 2 files changed, 165 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f73c62f7d8ebc6689028191b516c81440869c4a

commit 9f73c62f7d8ebc6689028191b516c81440869c4a
Author:     Luke Dashjr <luke-jr+git@utopios.org>
AuthorDate: 2018-09-18 15:46:59 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-21 12:37:55 +0000

    net-p2p/bitcoin-qt: Bump to 0.16.3
    
    Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
    Closes: https://github.com/gentoo/gentoo/pull/9907
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Bug: https://bugs.gentoo.org/666669

 net-p2p/bitcoin-qt/Manifest                 |   2 +
 net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild | 182 ++++++++++++++++++++++++++++
 2 files changed, 184 insertions(+)
Comment 3 Virgil Dupras (RETIRED) gentoo-dev 2018-09-24 18:57:35 UTC
The vulnerability hasn't been categorized by the security team yet, but let's start a stable request regardless...
Comment 4 Stabilization helper bot gentoo-dev 2018-09-24 19:06:23 UTC
An automated check of this bug failed - repoman reported dependency errors (101 lines truncated): 

> dependency.bad net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-qt/qtcore:5', 'dev-qt/qtgui:5', 'dev-qt/qtnetwork:5', 'dev-qt/qtwidgets:5', 'dev-qt/qtdbus:5', 'dev-qt/linguist-tools:5']
> dependency.bad net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['dev-qt/qtcore:5', 'dev-qt/qtgui:5', 'dev-qt/qtnetwork:5', 'dev-qt/qtwidgets:5', 'dev-qt/qtdbus:5']
> dependency.bad net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild: DEPEND: arm(default/linux/arm/17.0) ['dev-qt/qtcore:5', 'dev-qt/qtgui:5', 'dev-qt/qtnetwork:5', 'dev-qt/qtwidgets:5', 'dev-qt/qtdbus:5', 'dev-qt/linguist-tools:5']
Comment 5 Stabilization helper bot gentoo-dev 2018-09-24 20:03:53 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 6 Agostino Sarubbo gentoo-dev 2018-09-25 11:17:20 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-01 00:09:57 UTC
x86 stable
Comment 8 Virgil Dupras (RETIRED) gentoo-dev 2018-10-15 19:23:14 UTC
arm: we missed the security delay of 20 days. In a week, I'll proceed to cleanup whether this is stabilized or not.
Comment 9 Larry the Git Cow gentoo-dev 2018-10-23 20:38:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b0b2fb607337ffc92be3d8313498e55616e6963

commit 6b0b2fb607337ffc92be3d8313498e55616e6963
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-23 20:37:40 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-23 20:38:28 +0000

    dev-util/bitcoin-tx: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/666669
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-util/bitcoin-tx/Manifest                 |   2 -
 dev-util/bitcoin-tx/bitcoin-tx-0.15.1.ebuild | 102 ---------------------------
 2 files changed, 104 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a51f2a1855e1dd6c62eb7a8ee17ca27531f9d146

commit a51f2a1855e1dd6c62eb7a8ee17ca27531f9d146
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-23 20:36:16 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-23 20:38:27 +0000

    net-libs/libbitcoinconsensus: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/666669
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-libs/libbitcoinconsensus/Manifest              |  2 -
 .../libbitcoinconsensus-0.15.1.ebuild              | 99 ----------------------
 2 files changed, 101 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c847a77d54b0910d52d4852859651fa49510eb3

commit 3c847a77d54b0910d52d4852859651fa49510eb3
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-23 20:35:00 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-23 20:38:27 +0000

    net-p2p/bitcoind: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/666669
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-p2p/bitcoind/Manifest                          |   2 -
 net-p2p/bitcoind/bitcoind-0.15.1.ebuild            | 167 ---------------------
 .../files/bitcoind-0.15.1-test-build-fix.patch     |  24 ---
 .../files/bitcoind-0.15.1-test-util-fix.patch      |  15 --
 4 files changed, 208 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa43f6f2847e6779d6bea9c2242be1fc76b86f20

commit aa43f6f2847e6779d6bea9c2242be1fc76b86f20
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-23 20:32:44 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-23 20:38:26 +0000

    net-p2p/bitcoin-cli: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/666669
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-p2p/bitcoin-cli/Manifest                  |   2 -
 net-p2p/bitcoin-cli/bitcoin-cli-0.15.1.ebuild | 101 --------------------------
 2 files changed, 103 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b957e3983c5b664df340102d7311e266244f019

commit 1b957e3983c5b664df340102d7311e266244f019
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-10-23 20:31:22 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-10-23 20:38:26 +0000

    net-p2p/bitcoin-qt: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/666669
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-p2p/bitcoin-qt/Manifest                        |   2 -
 net-p2p/bitcoin-qt/bitcoin-qt-0.15.1.ebuild        | 255 ---------------------
 .../files/bitcoin-qt-0.15.1-test-build-fix.patch   |  24 --
 .../files/bitcoin-qt-0.15.1-test-util-fix.patch    |  15 --
 net-p2p/bitcoin-qt/metadata.xml                    |   2 -
 5 files changed, 298 deletions(-)
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-11-24 22:13:40 UTC
This bug is evil...