Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 790293 (CVE-2021-31876) - net-p2p/bitcoin*: Improper policy implementation of BIP125 (CVE-2021-31876)
Summary: net-p2p/bitcoin*: Improper policy implementation of BIP125 (CVE-2021-31876)
Status: IN_PROGRESS
Alias: CVE-2021-31876
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: https://lists.linuxfoundation.org/pip...
Whiteboard: ?? [upstream?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-15 01:21 UTC by Sam James
Modified: 2021-10-12 02:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-05-15 01:21:35 UTC
Description:
"Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with nSequence = 0xff_ff_ff_ff, spending an unconfirmed parent with nSequence <= 0xff_ff_ff_fd, should be replaceable because there is inherited signaling by the child transaction. However, the actual PreChecks implementation does not enforce this. Instead, mempool rejects the replacement attempt of the unconfirmed child transaction."
Comment 1 Sam James archtester gentoo-dev Security 2021-05-15 01:23:03 UTC
It's not clear to me if this is an actual vulnerability or if it's possible for it to be fixed without great difficulty. Luke?
Comment 2 Luke-Jr 2021-05-15 04:34:44 UTC
It's arguably a bug, but definitely not a security issue in Bitcoin Core.

It may be a real security issue in other software - as I understand it, some Lightning implementations and similar layer-2 software are affected.
Comment 3 John Helmert III gentoo-dev Security 2021-06-23 13:54:55 UTC
If Bitcoin Core is where the vulnerability needs to be fixed (and it's not going to be fixed elsewhere) then it needs to be handled as a vulnerability in Bitcoin Core.
Comment 4 Luke-Jr 2021-06-23 18:16:42 UTC
(In reply to John Helmert III from comment #3)
> If Bitcoin Core is where the vulnerability needs to be fixed

It's not and can't be.
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:22:24 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:30:39 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:38:36 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:46:43 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:02:43 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:10:58 UTC
Package list is empty or all packages have requested keywords.
Comment 11 Luke-Jr 2021-07-29 20:34:06 UTC
I'm not sure what, if any, packages exist in Gentoo actually affected by this CVE.

Only possibility I can see at a glance is net-misc/electrum, but I am not certain of it.