Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 768768 - <net-p2p/litecoind-0.18.1: Multiple vulnerabilities (CVE-2018-17144)
Summary: <net-p2p/litecoind-0.18.1: Multiple vulnerabilities (CVE-2018-17144)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2018-17144
  Show dependency tree
 
Reported: 2021-02-05 04:12 UTC by Sam James
Modified: 2021-07-18 04:05 UTC (History)
1 user (show)

See Also:
Package list:
net-p2p/litecoind-0.18.1-r1 *
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-05 04:12:05 UTC
0.16.3 release notes (CVE-2018-17144):
"A denial-of-service vulnerability exploitable by miners has been discovered in
Litecoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of
the vulnerable versions to 0.16.3 as soon as possible."

0.18.1 release notes:
"This release changes the Random Number Generator (RNG) used from OpenSSL to Litecoin Core's own implementation, although entropy gathered by Litecoin Core is fed out to OpenSSL and then read back in when the program needs strong randomness.

 This moves Litecoin Core a little closer to no longer needing to depend on OpenSSL, a dependency that has caused security issues in the past. The new implementation gathers entropy from multiple sources, including from hardware supporting the rdseed CPU instruction."
Comment 1 Larry the Git Cow gentoo-dev 2021-06-18 11:26:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d4a9bbe950fbbdc14cf7b19d86dbbd200b0bed5

commit 2d4a9bbe950fbbdc14cf7b19d86dbbd200b0bed5
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-06-18 10:04:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-18 11:26:30 +0000

    net-p2p/litecoind: add 0.18.1
    
    Closes: https://bugs.gentoo.org/607842
    Bug: https://bugs.gentoo.org/672326
    Bug: https://bugs.gentoo.org/768768
    Bug: https://bugs.gentoo.org/788844
    Signed-off-by: David Seifert <soap@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/21302
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/litecoind/Manifest                         |  1 +
 .../files/litecoind-0.18.1-system-leveldb.patch    | 37 +++++++++
 net-p2p/litecoind/litecoind-0.18.1.ebuild          | 87 ++++++++++++++++++++++
 3 files changed, 125 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2021-06-18 14:36:33 UTC
Unable to check for sanity:

> no match for package: net-p2p/litecoind-0.18.1