Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711198 (CVE-2019-15947, CVE-2020-14198) - <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947, CVE-2020-14198)
Summary: <net-p2p/bitcoin{d,-qt,-cli}-0.20.1: Multiple vulnerabilities (CVE-2019-15947...
Status: CONFIRMED
Alias: CVE-2019-15947, CVE-2020-14198
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/bitcoin/bitcoin/is...
Whiteboard: B3 [glsa+ cleanup cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 18:10 UTC by Sam James
Modified: 2020-09-30 00:22 UTC (History)
3 users (show)

See Also:
Package list:
net-p2p/bitcoin-cli-0.20.1 net-p2p/bitcoin-qt-0.20.1 net-p2p/bitcoind-0.20.1 dev-libs/libsecp256k1-0.1_pre20190401
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-01 18:10:22 UTC
Description:
"In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command."
Comment 1 Sam James archtester gentoo-dev Security 2020-03-01 18:14:11 UTC
Per URL, this bug is contentious given that core dumps are not necessarily expected to be safe to share.
Comment 2 Luke-Jr 2020-03-01 18:43:04 UTC
0.18.0[knots] in the tree is NOT affected by this, since it uses madvise to DONTDUMP. Note that due to a bug with the DONTFORK part of that patch, this was dropped in newer versions (not in the tree).

As much as it might be desirable to have, though, I don't agree it's a security bug in bitcoin*, since it's the OS doing the leaking...
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-02 22:59:27 UTC
Let's see if upstream will add some hardening. But yeah, at the moment I also don't understand why a CVE was assigned to this.
Comment 4 Luke-Jr 2020-03-07 20:16:21 UTC
Fix restored for 0.19.1[knots] in https://github.com/gentoo/gentoo/pull/14860
Comment 5 John Helmert III (ajak) 2020-07-26 06:10:43 UTC
Upstream PR: https://github.com/bitcoin/bitcoin/pull/15600

Merged as 23991ee:

bitcoin $ git tag --contains=23991ee
v0.20.0
v0.20.0rc1
v0.20.0rc2
v0.20.1rc1
Comment 6 Sam James archtester gentoo-dev Security 2020-07-26 15:17:40 UTC
Please tell us when ready to stabilise.
Comment 7 Luke-Jr 2020-07-26 19:09:50 UTC
(In reply to Sam James from comment #6)
> Please tell us when ready to stabilise.

I do not recommend stabilising 0.20. It has a worse security issue (Core, anyway; Knots is not vulnerable).

Will be fixed in v0.20.1, ETA soon.
Comment 8 Sam James archtester gentoo-dev Security 2020-08-11 08:30:26 UTC
(In reply to Luke-Jr from comment #7)
> (In reply to Sam James from comment #6)
> > Please tell us when ready to stabilise.
> 
> I do not recommend stabilising 0.20. It has a worse security issue (Core,
> anyway; Knots is not vulnerable).
> 
> Will be fixed in v0.20.1, ETA soon.

... is there a bug for it?
Comment 9 Sam James archtester gentoo-dev Security 2020-08-11 08:31:21 UTC
(In reply to Sam James from comment #8)
> (In reply to Luke-Jr from comment #7)
> > (In reply to Sam James from comment #6)
> > > Please tell us when ready to stabilise.
> > 
> > I do not recommend stabilising 0.20. It has a worse security issue (Core,
> > anyway; Knots is not vulnerable).
> > 
> > Will be fixed in v0.20.1, ETA soon.
> 
> ... is there a bug for it?

Also, 0.20.1 is out now. Please file security bugs in Gentoo if a package you maintain has a known issue.
Comment 10 Sam James archtester gentoo-dev Security 2020-08-27 20:07:01 UTC
@luke-jr, if ready, add CC-ARCHES? Feel free to message me if not ready etc.
Comment 11 NATTkA bot gentoo-dev 2020-08-27 20:09:09 UTC
Sanity check failed:

> net-p2p/bitcoind-0.20.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
> net-p2p/bitcoin-qt-0.20.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >dev-libs/libsecp256k1-0.1_pre20170321:=[recovery]
Comment 12 Sam James archtester gentoo-dev Security 2020-08-29 13:22:42 UTC
amd64 done
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-08-30 17:15:20 UTC
x86 stable
Comment 14 Sam James archtester gentoo-dev Security 2020-08-30 17:16:12 UTC
Please cleanup.
Comment 15 NATTkA bot gentoo-dev 2020-08-30 17:18:44 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 16 Sam James archtester gentoo-dev Security 2020-09-17 23:33:21 UTC
* CVE-2020-14198

Description:
"Bitcoin Core 0.20.0 allows remote denial of service."

I assumed 0.20.1 is fixed but maybe not?
Comment 17 Luke-Jr 2020-09-18 00:10:51 UTC
(In reply to Sam James from comment #16)
> * CVE-2020-14198
> 
> Description:
> "Bitcoin Core 0.20.0 allows remote denial of service."
> 
> I assumed 0.20.1 is fixed but maybe not?

Yes, that's the one I mentioned earlier.
Comment 18 Sam James archtester gentoo-dev Security 2020-09-18 00:16:14 UTC
(In reply to Luke-Jr from comment #17)
> (In reply to Sam James from comment #16)
> > * CVE-2020-14198
> > 
> > Description:
> > "Bitcoin Core 0.20.0 allows remote denial of service."
> > 
> > I assumed 0.20.1 is fixed but maybe not?
> 
> Yes, that's the one I mentioned earlier.

Thanks Luke, just wanted to check.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2020-09-30 00:22:42 UTC
This issue was resolved and addressed in
 GLSA 202009-18 at https://security.gentoo.org/glsa/202009-18
by GLSA coordinator Sam James (sam_c).
Comment 20 Sam James archtester gentoo-dev Security 2020-09-30 00:22:57 UTC
Please cleanup.