DeckerSU
DeckerSU
remotely reachable memory-safety issues on the block and transaction validation paths. All node operators
and GUI wallet users must upgrade from rc3.
What's Changed
This release closes several remotely reachable memory-safety bugs in block and transaction validation,
hardens a few latent issues, and disables the unsafe NSPV message processing surface:
- Fixed a remote null-deref / use-after-free in block and script validation: guard zero-length push in
IsCoinImport(), guard empty OP_RETURN in Heir CC _DecodeHeirOpRet(), and fix a use-after-free in
ConnectBlock() (CVE-2024-52911 class) by joining script-check threads before txdata is destroyed. - Hardened CheckBlock() against uninitialized pubkey33 and an out-of-bounds read in komodo_checkopret().
- Refuse to start with -nspv_msg: the getnSPV/nSPV P2P handlers are remotely memory-unsafe (stack overflow
and out-of-bounds reads).
Full Changelog: v0.9.2-rc3...v0.9.2-rc4
Checksum & VirusTotal Analysis:
| Link | SHA256 |
|---|---|
| komodo-qt-mac.zip | 28b2556db157dea6e3f65e386ed75578392b86eca7c94c93de76448a10fc614e |
| komodo-qt-win.zip | 5959ec103a83751b8ee238f94b88538522e8f35ce4b9428c01784b519baa213e |
| komodo-qt-linux-focal.tar.gz | 9c8ee83206d56ea7bf67dbcd823e96866f6df8a5acf49b3e8bb8ab31b0894f17 |
| KomodoOcean-0.9.2-rc4.dmg | c43e1d8aee285310a07b92479dbd3607c6027c85fe11d9aa211aa129c738a80f |
This release was signed by https://keybase.io/deckersu (GPG fingerprint: FD9A 772C 7300 F4C8 94D1 A819 FE50 4808 62E6 451C).
Notes
For all people who worries about virustotal check results (especially for MacOS and Linux versions): even Bitcoin Core for Mac bitcoin-0.18.1-osx64.tar.gz from official site detected by some AV software as MAC.Miner.6 / RiskTool.OSX.Miner, here is a proof. So, Komodo-Qt (KomodoOcean) is not an exception, bcz it includes miner.