Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 462046 (CVE-2013-2273) - <net-p2p/bitcoind-0.8.0rc1, net-p2p/bitcoin-qt-0.8.0rc1: multiple vulnerabilities (CVE-2013-{2272,2273,2292,2293})
Summary: <net-p2p/bitcoind-0.8.0rc1, net-p2p/bitcoin-qt-0.8.0rc1: multiple vulnerabili...
Status: RESOLVED FIXED
Alias: CVE-2013-2273
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 462598
Blocks:
  Show dependency tree
 
Reported: 2013-03-17 14:13 UTC by Agostino Sarubbo
Modified: 2016-03-18 07:37 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-17 14:13:10 UTC
CVE-2013-2273 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2273 :

bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1 make it easier for remote attackers to obtain potentially sensitive information about returned change by leveraging certain predictability in the outputs of a Bitcoin transaction.


CVE-2013-2292 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2292 :

bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to cause a denial of service (electricity consumption) by mining a block to create a nonstandard Bitcoin transaction containing multiple OP_CHECKSIG script opcodes.


CVE-2013-2293 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2293 :

The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before 0.8.0rc1 copies transactions from disk to memory without incrementally checking for spent prevouts, which allows remote attackers to cause a denial of service (disk I/O consumption) via a Bitcoin transaction with many inputs corresponding to many different parts of the stored block chain.
Comment 1 Luke-Jr 2013-03-17 15:39:37 UTC
CVE-2013-2292 should get another bug, as it is still unresolved.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-03-19 20:26:55 UTC
CVE-2013-2293 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2293):
  The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before
  0.8.0rc1 copies transactions from disk to memory without incrementally
  checking for spent prevouts, which allows remote attackers to cause a denial
  of service (disk I/O consumption) via a Bitcoin transaction with many inputs
  corresponding to many different parts of the stored block chain.

CVE-2013-2292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2292):
  bitcoind and Bitcoin-Qt 0.8.0 and earlier allow remote attackers to cause a
  denial of service (electricity consumption) by mining a block to create a
  nonstandard Bitcoin transaction containing multiple OP_CHECKSIG script
  opcodes.

CVE-2013-2273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2273):
  bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before
  0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1
  make it easier for remote attackers to obtain potentially sensitive
  information about returned change by leveraging certain predictability in
  the outputs of a Bitcoin transaction.

CVE-2013-2272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2272):
  The penny-flooding protection mechanism in the CTxMemPool::accept method in
  bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before 0.5.8rc1, 0.6.0 before
  0.6.0.11rc1, 0.6.1 through 0.6.5 before 0.6.5rc1, and 0.7.x before 0.7.3rc1
  allows remote attackers to determine associations between wallet addresses
  and IP addresses via a series of large Bitcoin transactions with
  insufficient fees.
Comment 3 Anthony Basile gentoo-dev 2013-03-19 21:46:19 UTC
Luke can you identify which ones we should keep on the tree and which ones we should drop?
Comment 4 Anthony Basile gentoo-dev 2013-03-27 23:57:59 UTC
net-p2p/bitcoind, net-p2p/bitcoin-qt 0.8.1 are now in the tree.
Comment 5 Luke-Jr 2013-03-28 00:44:16 UTC
(In reply to comment #4)
> net-p2p/bitcoind, net-p2p/bitcoin-qt 0.8.1 are now in the tree.

Note that 0.8.1 did not fix any of the vulnerabilities in this bug...
Comment 6 Anthony Basile gentoo-dev 2013-03-28 00:46:03 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > net-p2p/bitcoind, net-p2p/bitcoin-qt 0.8.1 are now in the tree.
> 
> Note that 0.8.1 did not fix any of the vulnerabilities in this bug...

Thanks wasn't certain, hence comment #3
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-30 00:52:03 UTC
@maintainers: ping, does 0.8.3 fix these issues?
Comment 8 Luke-Jr 2013-08-30 01:17:19 UTC
https://en.bitcoin.it/wiki/CVEs
Comment 9 Luke-Jr 2015-02-23 23:04:05 UTC
This should be closed.
Comment 10 Anthony Basile gentoo-dev 2015-02-23 23:09:20 UTC
@security team.  go ahead and vote on glsa. we're done.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-18 07:37:59 UTC
Vulnerable packages have been gone for over 2 years so no GLSA.