Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security advisories for bugs fixed as of Bitcoin Core 0.21.0 #1042

Merged
merged 11 commits into from
Jul 3, 2024
Merged

Security advisories for bugs fixed as of Bitcoin Core 0.21.0 #1042

merged 11 commits into from
Jul 3, 2024

Conversation

darosior
Copy link
Member

@darosior darosior commented Jul 3, 2024
edited by fanquake

This publicly discloses 10 security vulnerabilities fixed in Bitcoin Core 0.21.0 or earlier versions.

These writeups result from a common effort to dig up and document past vulnerabilities with achow101 ajtowns fanquake dergoegge and sipa.

murchandamus
murchandamus reviewed Jul 3, 2024
View reviewed changes
Copy link
Contributor

@murchandamus murchandamus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that all of the advisories share the same excerpt " Public disclosure of a DoS vulnerability affecting old versions of Bitcoin Core". Should these perhaps be individualized to actually summarize the content of each advisory?

_posts/en/posts/2024-06-10-disclose-bip70-crash.md Outdated
@@ -0,0 +1,46 @@
---
title: Disclosure: crash due to malicious BIP72 URI (<= version 0.19.2)
name: blog-disclose-bip70-crash
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The title says BIP 72, the name says BIP 70. Which one is it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BIP72 is in the context of BIP70. The attacker exploits the BIP70 implementation, by leveraging a BIP72 feature. I think it's correct as is.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, thanks. The disclosure doesn’t mention BIP 70 at all except in the name, perhaps it would make sense to explain this in the body of the disclosure?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It now mentions BIP70 in the excerpt too, i think it's good enough?

_posts/en/posts/2024-06-10-disclose-bip70-crash.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose-inv-buffer-blowup.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose-inv-buffer-blowup.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose-orphan-dos.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose-unbounded-banlist.md Outdated
- 2020-07-07 Pieter's PR is merged
- 2020-08-01 Bitcoin Core 0.20.1 is released with the fix
- 2021-01-14 Bitcoin Core 0.21.0 is released with the fix
- 2022-04-25 The last vulnerable Bitcoin Core version (0.20.0) goes EOL
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to old versions of the old lifecycle table (which were used to create the new table), v0.20.0 went end-of-life on 2022-02-01. One of the two should probably be amended.

Corollary: Should the EOL always be based on the release date of the Major version three later or the target release date of the Major version three later?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://github.com/bitcoin/bitcoin/releases/tag/v23.0 and the dates at https://bitcoincore.org/bin/bitcoin-core-23.0/ 23.0 was released on April 25th. So i think the date here is correct.

Corollary: Should the EOL always be based on the release date of the Major version three later or the target release date of the Major version three later?

No strong opinion but i had assumed it's when the release 3 versions later actually get released.

_posts/en/posts/2024-06-10-disclose_already_asked_for.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose_already_asked_for.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose_receive_buffer_oom.md Outdated Show resolved Hide resolved
_posts/en/posts/2024-06-10-disclose_upnp_rce.md Outdated Show resolved Hide resolved
@darosior darosior force-pushed the 2406_historical_disclosures branch from 8ea36c6 to 815e630 Compare July 3, 2024 13:43
@vnprc vnprc mentioned this pull request Jul 3, 2024
Closed
fanquake added a commit to fanquake/bitcoincore.org that referenced this pull request Jul 3, 2024
@fanquake
build: add --strict_front_matter to build invocation
f703571 
Should help catch issues like those in bitcoin-core#1042, which didn't cause the CI
to fail.

```bash
bundle exec jekyll server --future --drafts --unpublished --incremental --strict_front_matter
...
 Incremental build: enabled
      Generating...
             Error: YAML Exception reading /Users/michael/bitcoincore.org/_posts/en/posts/2024-06-10-disclose-bip70-crash.md: (<unknown>): mapping values are not allowed in this context at line 2 column 18
                    ------------------------------------------------
```
@fanquake fanquake mentioned this pull request Jul 3, 2024
Merged
@darosior darosior force-pushed the 2406_historical_disclosures branch from 815e630 to 29f1c6c Compare July 3, 2024 14:36
@darosior
Copy link
Member Author

darosior commented Jul 3, 2024

Thanks everyone for the review. Addressed all comments in the latest push.

dergoegge
dergoegge approved these changes Jul 3, 2024
View reviewed changes
Copy link
Member

@dergoegge dergoegge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 29f1c6c

@benthecarman benthecarman mentioned this pull request Jul 3, 2024
Closed
@sipa
Copy link
Contributor

sipa commented Jul 3, 2024 

*  8455:192: ERROR: Invalid first character of tag name '='.
        <h2><a href="/en/2024/06/10/disclose-getdata-cpu/" title="Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)">Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)</a></h2>
                                                                                                                                                                                               ^ (line 8455)

fanquake added a commit that referenced this pull request Jul 3, 2024
@fanquake
Merge #1043: build: add --strict_front_matter to build invocation
5964aff 
f703571 build: add --strict_front_matter to build invocation (fanquake)

Pull request description:

  Should help catch issues like those in #1042, which didn't cause the CI to fail.

  ```bash
  bundle exec jekyll server --future --drafts --unpublished --incremental --strict_front_matter
  ...
   Incremental build: enabled
        Generating...
               Error: YAML Exception reading /bitcoincore.org/_posts/en/posts/2024-06-10-disclose-bip70-crash.md: (<unknown>): mapping values are not allowed in this context at line 2 column 18
                      ------------------------------------------------
  ```

ACKs for top commit:
  dergoegge:
    utACK f703571

Tree-SHA512: f9e748ca356cac1043ce0458cd654eb041f446a10861b38d608b28c1fbb7f079bdf3bb2b9f06b0e37a962bf26d35563bf59a538deaf18ffe98b859ffb5cd6f97
@darosior
Copy link
Member Author

darosior commented Jul 3, 2024
edited 

*  8455:192: ERROR: Invalid first character of tag name '='.
        <h2><a href="/en/2024/06/10/disclose-getdata-cpu/" title="Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)">Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)</a></h2>
                                                                                                                                                                                               ^ (line 8455)

Looks like the CI doesn't like <=, can i just use &le; with Jekyll?

@darosior
Copy link
Member Author

darosior commented Jul 3, 2024

I noticed that all of the advisories share the same excerpt " Public disclosure of a DoS vulnerability affecting old versions of Bitcoin Core". Should these perhaps be individualized to actually summarize the content of each advisory?

They are not. It depends on the nature of the vulnerability. For some it's DoS, for other it's RCE or even "censorship". Nonetheless i've now added an excerpt with more details about the content for each post.

*  8455:192: ERROR: Invalid first character of tag name '='.
        <h2><a href="/en/2024/06/10/disclose-getdata-cpu/" title="Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)">Disclosure of CPU DoS due to malicious P2P message (<= version 0.19.2)</a></h2>
                                                                                                                                                                                               ^ (line 8455)

I've updated with using &le; instead of using <=. Let's see what the linter says.

@darosior darosior force-pushed the 2406_historical_disclosures branch from 29f1c6c to d8bd2d6 Compare July 3, 2024 15:29
@achow101
Copy link
Member

achow101 commented Jul 3, 2024

Screenshot_20240703_115254

The blog published dates and the disclosure timeline don't match. The dates for the blog section are pulled from the dates in file name.

@darosior darosior force-pushed the 2406_historical_disclosures branch from d8bd2d6 to 0a549fa Compare July 3, 2024 15:55
@darosior
Copy link
Member Author

darosior commented Jul 3, 2024

Alright, did one last push to:

  • update the date in the filename to match today's instead of when i starting writing those up
  • address a couple nits
  • correct the type of the first post

@darosior
Copy link
Member Author

darosior commented Jul 3, 2024

The blog published dates and the disclosure timeline don't match. The dates for the blog section are pulled from the dates in file name.

Yeah i think this should be fixed now.

@achow101
Copy link
Member

achow101 commented Jul 3, 2024

ACK 0a549fa

1 similar comment
@sipa
Copy link
Contributor

sipa commented Jul 3, 2024

ACK 0a549fa

fanquake
fanquake approved these changes Jul 3, 2024
View reviewed changes
Copy link
Member

@fanquake fanquake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 0a549fa

@fanquake fanquake merged commit 958404b into bitcoin-core:master Jul 3, 2024
2 checks passed
@darosior darosior deleted the 2406_historical_disclosures branch July 3, 2024 16:30
@ariard
Copy link

ariard commented Jul 4, 2024

@darosior @fanquake @ajtowns @sipa @achow101 @dergoegge

As I suggested on your gist here, I think it would be a good idea to PGP-signed the security advisories to minimize infrastructure compromise risks like the website or github.com being tampered with. Especially, github their 2FA authentication is not great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sipa sipa sipa left review comments

@bitschmidty bitschmidty bitschmidty left review comments

@achow101 achow101 achow101 left review comments

@murchandamus murchandamus murchandamus left review comments

@glozow glozow glozow left review comments

@fanquake fanquake fanquake approved these changes

@dergoegge dergoegge dergoegge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@darosior @sipa @achow101 @ariard @fanquake @bitschmidty @murchandamus @dergoegge @glozow