Skip to content

Komodo 0.9.2-2

Latest
Latest

Choose a tag to compare

View all tags
@DeckerSU DeckerSU released this 25 Jun 01:37
v0.9.2-2
This tag was signed with the committer’s verified signature.
DeckerSU DeckerSU
GPG key ID: FE50480862E6451C
Verified
Learn about vigilant mode.
ae588a9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

⚠️ This is a mandatory upgrade. This release is primarily a security hardening update: it fixes several
remotely reachable memory-safety issues on the block and transaction validation paths. All node operators
and GUI wallet users must upgrade from 0.9.2-1.

What's Changed

  • security: fix remote null-deref / use-after-free in block & script validation by @DeckerSU in #685

This release closes several remotely reachable memory-safety bugs in block and transaction validation,
hardens a few latent issues, and disables the unsafe NSPV message processing surface:

  • Fixed a remote null-deref / use-after-free in block and script validation: guard zero-length push in
    IsCoinImport(), guard empty OP_RETURN in Heir CC _DecodeHeirOpRet(), and fix a use-after-free in
    ConnectBlock() (CVE-2024-52911 class) by joining script-check threads before txdata is destroyed.
  • Hardened CheckBlock() against uninitialized pubkey33 and an out-of-bounds read in komodo_checkopret().
  • Refuse to start with -nspv_msg: the getnSPV/nSPV P2P handlers are remotely memory-unsafe (stack overflow
    and out-of-bounds reads).

Full Changelog: v0.9.2-1...v0.9.2-2

Checksum & VirusTotal Analysis:

Link SHA256
komodo-0.9.2-2-win.zip 1d80bb6361dd792a35534d174de4fa682661be1b793b9d4867a2f8688422d04b
komodo-0.9.2-2-linux.tar.gz f296bb500b76140c0210d64fa8c127eeba00dcbffd09cefc93a05f6af9392572

This release was signed by https://keybase.io/deckersu (GPG fingerprint: FD9A 772C 7300 F4C8 94D1 A819 FE50 4808 62E6 451C).

Contributors

DeckerSU
Assets 7
Loading