Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711198 (CVE-2019-15947, CVE-2020-14198) - <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947, CVE-2020-14198)
Summary: <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947...
Status: RESOLVED FIXED
Alias: CVE-2019-15947, CVE-2020-14198
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/bitcoin/bitcoin/is...
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-03-01 18:10 UTC by Sam James
Modified: 2021-01-22 02:11 UTC (History)
3 users (show)

See Also:
Package list:
net-p2p/bitcoin-cli-0.20.1 net-p2p/bitcoin-qt-0.20.1 net-p2p/bitcoind-0.20.1 dev-libs/libsecp256k1-0.1_pre20190401
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 18:10:22 UTC
Description:
"In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 18:14:11 UTC
Per URL, this bug is contentious given that core dumps are not necessarily expected to be safe to share.
Comment 2 Luke-Jr 2020-03-01 18:43:04 UTC
0.18.0[knots] in the tree is NOT affected by this, since it uses madvise to DONTDUMP. Note that due to a bug with the DONTFORK part of that patch, this was dropped in newer versions (not in the tree).

As much as it might be desirable to have, though, I don't agree it's a security bug in bitcoin*, since it's the OS doing the leaking...
Comment 3 Thomas Deutschmann gentoo-dev 2020-03-02 22:59:27 UTC
Let's see if upstream will add some hardening. But yeah, at the moment I also don't understand why a CVE was assigned to this.
Comment 4 Luke-Jr 2020-03-07 20:16:21 UTC
Fix restored for 0.19.1[knots] in https://github.com/gentoo/gentoo/pull/14860
Comment 5 John Helmert III gentoo-dev Security 2020-07-26 06:10:43 UTC
Upstream PR: https://github.com/bitcoin/bitcoin/pull/15600

Merged as 23991ee:

bitcoin $ git tag --contains=23991ee
v0.20.0
v0.20.0rc1
v0.20.0rc2
v0.20.1rc1
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 15:17:40 UTC
Please tell us when ready to stabilise.
Comment 7 Luke-Jr 2020-07-26 19:09:50 UTC
(In reply to Sam James from comment #6)
> Please tell us when ready to stabilise.

I do not recommend stabilising 0.20. It has a worse security issue (Core, anyway; Knots is not vulnerable).

Will be fixed in v0.20.1, ETA soon.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-11 08:30:26 UTC
(In reply to Luke-Jr from comment #7)
> (In reply to Sam James from comment #6)
> > Please tell us when ready to stabilise.
> 
> I do not recommend stabilising 0.20. It has a worse security issue (Core,
> anyway; Knots is not vulnerable).
> 
> Will be fixed in v0.20.1, ETA soon.

... is there a bug for it?
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-11 08:31:21 UTC
(In reply to Sam James from comment #8)
> (In reply to Luke-Jr from comment #7)
> > (In reply to Sam James from comment #6)
> > > Please tell us when ready to stabilise.
> > 
> > I do not recommend stabilising 0.20. It has a worse security issue (Core,
> > anyway; Knots is not vulnerable).
> > 
> > Will be fixed in v0.20.1, ETA soon.
> 
> ... is there a bug for it?

Also, 0.20.1 is out now. Please file security bugs in Gentoo if a package you maintain has a known issue.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-27 20:07:01 UTC
@luke-jr, if ready, add CC-ARCHES? Feel free to message me if not ready etc.
Comment 11 NATTkA bot gentoo-dev 2020-08-27 20:09:09 UTC
Sanity check failed:

> net-p2p/bitcoind-0.20.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> net-p2p/bitcoin-qt-0.20.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 13:22:42 UTC
amd64 done
Comment 13 Thomas Deutschmann gentoo-dev 2020-08-30 17:15:20 UTC
x86 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 17:16:12 UTC
Please cleanup.
Comment 15 NATTkA bot gentoo-dev 2020-08-30 17:18:44 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-17 23:33:21 UTC
* CVE-2020-14198

Description:
"Bitcoin Core 0.20.0 allows remote denial of service."

I assumed 0.20.1 is fixed but maybe not?
Comment 17 Luke-Jr 2020-09-18 00:10:51 UTC
(In reply to Sam James from comment #16)
> * CVE-2020-14198
> 
> Description:
> "Bitcoin Core 0.20.0 allows remote denial of service."
> 
> I assumed 0.20.1 is fixed but maybe not?

Yes, that's the one I mentioned earlier.
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-18 00:16:14 UTC
(In reply to Luke-Jr from comment #17)
> (In reply to Sam James from comment #16)
> > * CVE-2020-14198
> > 
> > Description:
> > "Bitcoin Core 0.20.0 allows remote denial of service."
> > 
> > I assumed 0.20.1 is fixed but maybe not?
> 
> Yes, that's the one I mentioned earlier.

Thanks Luke, just wanted to check.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2020-09-30 00:22:42 UTC
This issue was resolved and addressed in
 GLSA 202009-18 at https://security.gentoo.org/glsa/202009-18
by GLSA coordinator Sam James (sam_c).
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-30 00:22:57 UTC
Please cleanup.
Comment 21 Larry the Git Cow gentoo-dev 2021-01-21 23:23:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d00a0f0f3e4e07b0a959d4c1e6588358ef3b4a1b

commit d00a0f0f3e4e07b0a959d4c1e6588358ef3b4a1b
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2021-01-10 22:03:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-21 23:22:53 +0000

    net-p2p/bitcoind: security cleanup
    
    Bug: https://bugs.gentoo.org/711198
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/bitcoind/Manifest                          |   6 -
 net-p2p/bitcoind/bitcoind-0.16.3.ebuild            | 153 ------------------
 net-p2p/bitcoind/bitcoind-0.19.1.ebuild            | 168 --------------------
 net-p2p/bitcoind/bitcoind-0.20.0.ebuild            | 171 ---------------------
 .../files/bitcoind-0.16.3-missing-include.patch    |  10 --
 5 files changed, 508 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd458a9df388d537f0c5c17f3318bbb84e871b5e

commit bd458a9df388d537f0c5c17f3318bbb84e871b5e
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2021-01-10 22:01:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-21 23:22:51 +0000

    net-p2p/bitcoin-qt: security cleanup
    
    Bug: https://bugs.gentoo.org/711198
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/bitcoin-qt/Manifest                        |   6 -
 net-p2p/bitcoin-qt/bitcoin-qt-0.16.3.ebuild        | 174 -------------------
 net-p2p/bitcoin-qt/bitcoin-qt-0.19.1.ebuild        | 188 ---------------------
 net-p2p/bitcoin-qt/bitcoin-qt-0.20.0.ebuild        | 185 --------------------
 ...coin-qt-0.16.3-boost-1.72-missing-include.patch |  24 ---
 net-p2p/bitcoin-qt/metadata.xml                    |   2 -
 6 files changed, 579 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1414e8fd7d9ab6321dbf14d4bac4d02035f7b403

commit 1414e8fd7d9ab6321dbf14d4bac4d02035f7b403
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2021-01-10 21:58:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-21 23:22:50 +0000

    net-p2p/bitcoin-cli: security cleanup
    
    Bug: https://bugs.gentoo.org/711198
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/bitcoin-cli/Manifest                  |   6 --
 net-p2p/bitcoin-cli/bitcoin-cli-0.16.3.ebuild |  97 ------------------------
 net-p2p/bitcoin-cli/bitcoin-cli-0.19.1.ebuild | 101 -------------------------
 net-p2p/bitcoin-cli/bitcoin-cli-0.20.0.ebuild | 102 --------------------------
 4 files changed, 306 deletions(-)
Comment 22 John Helmert III gentoo-dev Security 2021-01-22 02:11:49 UTC
All done!