Bug 23681

Summary: bitcoin new security issue CVE-2018-17144
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok
Source RPM: bitcoin-0.16.2-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-13 00:38:42 CEST 
openSUSE has issued an advisory on October 4:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00012.html

The issue is fixed upstream in 0.16.3.

Mageia 6 is also affected.
David Walser 2018-10-13 00:38:50 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2018-10-13 05:15:57 CEST 
Done for Cauldron and mga6!
Comment 2 David Walser 2018-10-13 16:23:05 CEST 
Advisory:
========================

Updated bitcoin packages fix security vulnerability:

Remote denial of service (application crash) exploitable by miners via duplicate
input (CVE-2018-17144).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17144
https://lists.opensuse.org/opensuse-updates/2018-10/msg00012.html
========================

Updated packages in core/updates_testing:
========================
bitcoind-0.16.3-1.mga6
bitcoin-qt-0.16.3-1.mga6
libbitcoinconsensus0-0.16.3-1.mga6
libbitcoinconsensus-devel-0.16.3-1.mga6

from bitcoin-0.16.3-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA6TOO => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 6

Comment 3 David Walser 2018-10-17 19:51:22 CEST 
David, I'm thinking that dogecoin is vulnerable to this too since it's based on the same code IIRC.
Comment 4 David GEIGER 2018-10-17 20:13:10 CEST 
(In reply to David Walser from comment #3)
> David, I'm thinking that dogecoin is vulnerable to this too since it's based
> on the same code IIRC.

I just checked if dogecoin is also affected but our version is now too old and does not contains the vulnerable code/file.

https://github.com/dogecoin/dogecoin/pull/1526

https://github.com/dogecoin/dogecoin/commit/696b936aa3ab6f459d0e16f9805eaeb747a0036c

No "src/validation.cpp" and "test/functional/p2p_invalid_block.py" files found!
Comment 5 David Walser 2018-10-17 20:35:59 CEST 
Cool, thanks David!
Comment 6 claire robinson 2018-10-25 10:31:42 CEST 
Testing complete mga6 64

Ensured bitcoin-qt began downloading the blockchain. There's too much of it to complete the download for this purpose so stopped after a while. 

As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding #

Started bitcoin daemon and checked status.


# systemctl start bitcoin.service
# systemctl status bitcoin.service 
● bitcoin.service - Bitcoin
   Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; disabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-10-25 09:25:58 BST; 17s ago
 Main PID: 13886 (bitcoind)
   CGroup: /system.slice/bitcoin.service
           └─13886 /usr/bin/bitcoind -datadir=/var/lib/bitcoin -daemon -pid=/run/bitcoin/bitcoin.pid -conf=/etc/bitcoin.conf

Oct 25 09:25:58 localhost.localdomain systemd[1]: Started Bitcoin.

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => has_procedure

Comment 7 Thomas Andrews 2018-10-26 01:07:37 CEST 
Thank you, Claire. The whole thing is beyond me, but your tests sound good. Validating with a 64-bit only test, as I believe that few would use 32-bit systems with Bitcoin, anyway.

Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:58:47 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2018-10-26 20:48:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0415.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED