Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 415973 (CVE-2012-2459) - <net-p2p/{bitcoind,bitcoin-qt}-0.5.5 : DoS vulnerability (CVE-2012-2459)
Summary: <net-p2p/{bitcoind,bitcoin-qt}-0.5.5 : DoS vulnerability (CVE-2012-2459)
Status: RESOLVED FIXED
Alias: CVE-2012-2459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bitcointalk.org/index.php?top...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2012-1909
  Show dependency tree
 
Reported: 2012-05-14 17:33 UTC by Luke-Jr
Modified: 2012-08-11 17:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke-Jr 2012-05-14 17:33:31 UTC
The details of this vulnerability have not been disclosed yet.

Please stabilize 0.5.5 ASAP.
NOTE: these versions are pending import to the main tree still.

Solution:
Upgrade to version 0.4.6, 0.5.5, 0.6.0.7, or 0.6.2 or later

References:
https://bitcointalk.org/index.php?topic=81749.0
Comment 1 Agostino Sarubbo gentoo-dev 2012-05-14 18:08:17 UTC
Luke, thanks for report this, but please don't cc arches when there is not the time.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-15 06:34:13 UTC
I see 0.6.2 is in the tree now, thanks. Are we ok to stabilize that?
Comment 3 Luke-Jr 2012-05-15 06:44:09 UTC
(In reply to comment #2)
> I see 0.6.2 is in the tree now, thanks. Are we ok to stabilize that?

It's secure against this vulnerability, but 0.6.x has only been out for a couple of weeks and not very well-tested yet. I would recommend stabilizing 0.5.5 for now.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-05-15 06:48:59 UTC
(In reply to comment #3)
> I would recommend stabilizing
> 0.5.5 for now.

Thanks, Luke, sorry I missed that in c0.

Arches, please test and mark stable:
=net-p2p/bitcoind-0.5.5
=net-p2p/bitcoin-qt-0.5.5
Target keywords : "amd64 x86"
Comment 5 Luke-Jr 2012-05-15 07:09:11 UTC
Also arm?
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-05-15 07:14:46 UTC
(In reply to comment #5)
> Also arm?

Neither package is stable on arm currently.
Comment 7 Luke-Jr 2012-05-15 07:19:47 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Also arm?
> 
> Neither package is stable on arm currently.

Original arm stabilization request was bug 405211, and had continued into the last CVE (bug 407793).
Comment 8 Anthony Basile gentoo-dev 2012-05-15 09:13:25 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Also arm?
> > 
> > Neither package is stable on arm currently.
> 
> Original arm stabilization request was bug 405211, and had continued into
> the last CVE (bug 407793).

I added the ebuilds yesterday after I saw this bug report.

As the arch teams do their work, I will drop keywords and finally remove the last remaining vulnerable version: {bitcoind,bitcoin-qt}-0.5.3
Comment 9 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-16 17:54:35 UTC
amd64: pass
Comment 10 Agostino Sarubbo gentoo-dev 2012-05-18 07:50:57 UTC
amd64 stable
Comment 11 Myckel Habets 2012-05-18 20:39:42 UTC
Both build and run fine on x86. Please mark stable for x86.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-05-19 10:57:36 UTC
x86: i am not see bugs or any problems. Please mark stable for x86
Comment 13 Johannes Huber (RETIRED) gentoo-dev 2012-05-21 22:51:03 UTC
x86 stable
Comment 14 Markus Meier gentoo-dev 2012-08-02 20:19:04 UTC
arm has no stable keywords, removing us. all arches done.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-08-06 23:59:05 UTC
CVE-2012-2459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2459):
  Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x
  before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote
  attackers to cause a denial of service (block-processing outage and
  incorrect block count) via unknown behavior on a Bitcoin network.
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-07 00:53:37 UTC
Thanks, everyone.

GLSA vote: no.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 17:57:59 UTC
GLSA Vote: no too. Closing noglsa.