Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766983 (CVE-2021-3195) - net-p2p/bitcoind: Information leak via RPC calls (CVE-2021-3195)
Summary: net-p2p/bitcoind: Information leak via RPC calls (CVE-2021-3195)
Status: IN_PROGRESS
Alias: CVE-2021-3195
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-25 02:01 UTC by Sam James
Modified: 2021-01-25 04:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-25 02:01:14 UTC
Description:
"bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call."
Comment 1 Luke-Jr 2021-01-25 03:24:59 UTC
This isn't an actual security issue. Not sure why someone created a CVE for it.
Comment 2 John Helmert III (ajak) gentoo-dev Security 2021-01-25 03:40:56 UTC
(In reply to Luke-Jr from comment #1)
> This isn't an actual security issue. Not sure why someone created a CVE for
> it.

I am not super familiar with this software but this does seem like a security issue. Imagine if the same user running bitcoind had write access to a directory served by an httpd or nfs or something. You could dump a secret to a public directory.

It's a peculiar enough setup that it might never get exploited by anyone, but that's no reason to not treat it as a security issue.
Comment 3 Luke-Jr 2021-01-25 04:09:50 UTC
If you have RPC access, you are assumed to be the user running bitcoind and have full access to the wallet already.