Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835610 (CVE-2021-42219, CVE-2022-37450) - net-p2p/go-ethereum: DoS via message flood
Summary: net-p2p/go-ethereum: DoS via message flood
Status: CONFIRMED
Alias: CVE-2021-42219, CVE-2022-37450
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://docs.google.com/document/d/1d...
Whiteboard: ~3 [??]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-19 04:46 UTC by John Helmert III
Modified: 2022-08-08 16:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 04:46:06 UTC
CVE-2021-42219:

Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.

Yeah, the only reference is a Google Doc. I don't know what to make of this, but filing anyway so it doesn't get lost. CVE and "advisory" mention 1.10.9 and we currently have 1.10.14 in tree.
Comment 1 Larry the Git Cow gentoo-dev 2022-05-15 02:54:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95934a6cad470274b7797c1abceabfd66f3dfbf9

commit 95934a6cad470274b7797c1abceabfd66f3dfbf9
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-15 02:46:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-15 02:46:00 +0000

    net-p2p/go-ethereum: add 1.10.17
    
    Bug: https://bugs.gentoo.org/844496
    Bug: https://bugs.gentoo.org/835610
    Bug: https://bugs.gentoo.org/679066
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/go-ethereum/Manifest                   |  2 ++
 net-p2p/go-ethereum/go-ethereum-1.10.17.ebuild | 44 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 02:56:23 UTC
Still couldn't find any more info...
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 16:16:43 UTC
CVE-2022-37450 (https://news.ycombinator.com/item?id=32354896):
https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94
http://dx.doi.org/10.13140/RG.2.2.27813.99043
https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

Unsure if a fixed version exists.