Bug 23681 - bitcoin new security issue CVE-2018-17144
Summary: bitcoin new security issue CVE-2018-17144
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: mga6-64-ok
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2018-10-13 00:38 CEST by David Walser
Modified: 2018-10-26 20:48 CEST (History)
4 users (show)

See Also:
Source RPM: bitcoin-0.16.2-2.mga7.src.rpm
Status comment:


Description David Walser 2018-10-13 00:38:42 CEST
openSUSE has issued an advisory on October 4:

The issue is fixed upstream in 0.16.3.

Mageia 6 is also affected.
David Walser 2018-10-13 00:38:50 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2018-10-13 05:15:57 CEST
Done for Cauldron and mga6!
Comment 2 David Walser 2018-10-13 16:23:05 CEST

Updated bitcoin packages fix security vulnerability:

Remote denial of service (application crash) exploitable by miners via duplicate
input (CVE-2018-17144).


Updated packages in core/updates_testing:

from bitcoin-0.16.3-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA6TOO => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 6

Comment 3 David Walser 2018-10-17 19:51:22 CEST
David, I'm thinking that dogecoin is vulnerable to this too since it's based on the same code IIRC.
Comment 4 David GEIGER 2018-10-17 20:13:10 CEST
(In reply to David Walser from comment #3)
> David, I'm thinking that dogecoin is vulnerable to this too since it's based
> on the same code IIRC.

I just checked if dogecoin is also affected but our version is now too old and does not contains the vulnerable code/file.



No "src/validation.cpp" and "test/functional/p2p_invalid_block.py" files found!
Comment 5 David Walser 2018-10-17 20:35:59 CEST
Cool, thanks David!
Comment 6 claire robinson 2018-10-25 10:31:42 CEST
Testing complete mga6 64

Ensured bitcoin-qt began downloading the blockchain. There's too much of it to complete the download for this purpose so stopped after a while. 

As root, altered /etc/bitcoin.conf to use testnet=1, removing the preceding #

Started bitcoin daemon and checked status.

# systemctl start bitcoin.service
# systemctl status bitcoin.service 
● bitcoin.service - Bitcoin
   Loaded: loaded (/usr/lib/systemd/system/bitcoin.service; disabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-10-25 09:25:58 BST; 17s ago
 Main PID: 13886 (bitcoind)
   CGroup: /system.slice/bitcoin.service
           └─13886 /usr/bin/bitcoind -datadir=/var/lib/bitcoin -daemon -pid=/run/bitcoin/bitcoin.pid -conf=/etc/bitcoin.conf

Oct 25 09:25:58 localhost.localdomain systemd[1]: Started Bitcoin.

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => has_procedure

Comment 7 Thomas Andrews 2018-10-26 01:07:37 CEST
Thank you, Claire. The whole thing is beyond me, but your tests sound good. Validating with a 64-bit only test, as I believe that few would use 32-bit systems with Bitcoin, anyway.

Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-10-26 15:58:47 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2018-10-26 20:48:20 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.