Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482970 (CVE-2012-4684) - net-p2p/bitcoind, net-p2p/bitcoin-qt: Multiple vulnerabilities (CVE-2012-4684,CVE-2013-{3219,3220,4627})
Summary: net-p2p/bitcoind, net-p2p/bitcoin-qt: Multiple vulnerabilities (CVE-2012-4684...
Alias: CVE-2012-4684
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 480096
  Show dependency tree
Reported: 2013-08-30 00:43 UTC by GLSAMaker/CVETool Bot
Modified: 2013-09-27 08:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-08-30 00:43:54 UTC
CVE-2013-4627 (
  Unspecified vulnerability in bitcoind and Bitcoin-Qt 0.8.x allows remote
  attackers to cause a denial of service (memory consumption) via a large
  amount of tx message data.

CVE-2013-3220 (
  bitcoind and Bitcoin-Qt before 0.4.9rc2, 0.5.x before 0.5.8rc2, 0.6.x before
  0.6.5rc2, and 0.7.x before 0.7.3rc2, and wxBitcoin, do not properly consider
  whether a block's size could require an excessive number of database locks,
  which allows remote attackers to cause a denial of service (split) and
  enable certain double-spending capabilities via a large block that triggers
  incorrect Berkeley DB locking.

CVE-2013-3219 (
  bitcoind and Bitcoin-Qt 0.8.x before 0.8.1 do not enforce a certain block
  protocol rule, which allows remote attackers to bypass intended access
  restrictions and conduct double-spending attacks via a large block that
  triggers incorrect Berkeley DB locking in older product versions.

CVE-2012-4684 (
  The alert functionality in bitcoind and Bitcoin-Qt before 0.7.0 supports
  different character representations of the same signature data, but relies
  on a hash of this signature, which allows remote attackers to cause a denial
  of service (resource consumption) via a valid modified signature for a
  circulating alert.

Couldn't find existing bugs for any of these CVEs, so filing here.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-30 00:52:50 UTC
I probably could have split that up a bit better. Summary:
CVE-2013-4627: <bitcoind-0.8.1. No action needed except maybe a GLSA.

CVE-2013-3220: 0.4.9rc2 in tree and nothing else in the 0.4 branch in tree. 0.5.8rc2, 0.7.3rc2 likewise. 0.6.5rc2 needs to be stabilized.

CVE-2013-3219: same as 2013-4627.

CVE-2012-4684: Affects 0.6.3. 0.6.5rc2 can be stabilized.

@maintainers: okay to stabilize 0.6.5rc2?
Comment 2 Luke-Jr 2013-08-30 01:18:01 UTC
0.6.5rc2 is too old (it won't work at all); rc4 would, but I don't think I made an ebuild for it yet.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 02:00:58 UTC
Will clean affected versions after the latest goes stable.
Comment 4 Sergey Popov gentoo-dev 2013-09-27 08:53:31 UTC
Closing as noglsa as per comment #1 in bug #484546