CVE-2013-2272 remotely triggered info leak (IP address) via series of large transactions

Debian Bug report logs - #705266
CVE-2013-2272 remotely triggered info leak (IP address) via series of large transactions

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: submit@bugs.debian.org

Subject: CVE-2013-2272 remotely triggered info leak (IP address) via series of large transactions

Date: Fri, 12 Apr 2013 10:42:01 +0200

Package: bitcoind, bitcoin-qt
Version: 0.3.24
Severity: serious
Tags: security

I found this via
<URL: https://security-tracker.debian.org/tracker/CVE-2013-2272 >, and
report it here to make sure the package maintainers are aware of the
issue, and to get a place to track its status in Debian.  It is one of
four open CVEs listed in the security tracker.  Setting the version
found to the one in the stable backport archive.  The issue should also
be present in the package available in unstable (0.7.2).

This is the problem description:

  The penny-flooding protection mechanism in the CTxMemPool::accept
  method in bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before
  0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before
  0.6.5rc1, and 0.7.x before 0.7.3rc1 allows remote attackers to
  determine associations between wallet addresses and IP addresses via a
  series of large Bitcoin transactions with insufficient fees.

I expect the issue is fixed in 0.8.1 in experimental.

-- 
Happy hacking
Petter Reinholdtsen

Message #16 received at 705266-close@bugs.debian.org (full text, mbox, reply):

From: Scott Howard <showard@debian.org>

To: 705266-close@bugs.debian.org

Subject: Bug#705266: fixed in bitcoin 0.8.1-2

Date: Wed, 24 Apr 2013 03:02:39 +0000

Source: bitcoin
Source-Version: 0.8.1-2

We believe that the bug you reported is fixed in the latest version of
bitcoin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 705266@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Howard <showard@debian.org> (supplier of updated bitcoin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Mar 2013 13:52:40 -0400
Source: bitcoin
Binary: bitcoind bitcoin-qt
Architecture: source i386
Version: 0.8.1-2
Distribution: unstable
Urgency: low
Maintainer: Debian Bitcoin Packaging Team <pkg-bitcoin-devel@lists.alioth.debian.org>
Changed-By: Scott Howard <showard@debian.org>
Description: 
 bitcoin-qt - peer-to-peer network based digital currency - GUI
 bitcoind   - peer-to-peer network based digital currency - daemon
Closes: 705265 705266
Changes: 
 bitcoin (0.8.1-2) unstable; urgency=low
 .
   * Merge from experimental closing two security bugs in sid
     - Closes: #705266 CVE-2013-2272
     - Closes: #705265 CVE-2013-2293
   * Import patches from libleveldb to fix one of the kFreeBSD & hurd FTBFS
   * Added high res icons to package (LP: #1127181)
   * Remove reference to IRC network in debian/control
   * Patch and ship upstream manpages instead of maintaining our own
     - updated bitcoin-qt manpage for version 0.8.1
   * Drop wrapper for bitcoind
     -upstream has dropped it and the wrapper may introduce problems with
      multi-wallet or non-default data directories
Checksums-Sha1: 
 dceb9c6dba0a82b1a58383165ecec0b8d06ce568 1717 bitcoin_0.8.1-2.dsc
 bb49dcf85acd7d8d3c94c2cc5fe7579123a646a5 24751 bitcoin_0.8.1-2.debian.tar.gz
 1fdd4b48d7b48826afbaebd93fc0efc9cca2da78 997854 bitcoind_0.8.1-2_i386.deb
 70e03a2cc53cf8341ca216e7203bba2e0f9f865b 2048464 bitcoin-qt_0.8.1-2_i386.deb
Checksums-Sha256: 
 d8392a7ac291940cad8b0ea672df74f81c01a742e8b5cb74a1c0bd0690a61aa9 1717 bitcoin_0.8.1-2.dsc
 40c02610f11664d6ae548ca9a801232444e648ca1d3ea0aacd29d277f8d6c560 24751 bitcoin_0.8.1-2.debian.tar.gz
 a9a2f7c5f8c7d14bc512d7dc61a6597b9e2c020c025e45b3bbfa76390ab94582 997854 bitcoind_0.8.1-2_i386.deb
 135144091e10807c5ac25b5bebf4f0ca6a39373424551900683785bd60bc8c80 2048464 bitcoin-qt_0.8.1-2_i386.deb
Files: 
 b3c0361b240fd2d5b9f8a50b2f6483b0 1717 utils optional bitcoin_0.8.1-2.dsc
 1edacedce7b6644184d506b8e5ac9274 24751 utils optional bitcoin_0.8.1-2.debian.tar.gz
 679e92a185fb3ef9be15a7c6b4b37938 997854 utils optional bitcoind_0.8.1-2_i386.deb
 8237c41e9ac22fb62d3db50e0309abcd 2048464 utils optional bitcoin-qt_0.8.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlF3OWEACgkQuqVp0MvxKmrjgQCg1gXY2Zf9iu4fyFm9K9b9lZpD
rE4AoLAfV62Dkr5kjiQCDW88pUdWIMpO
=ra1L
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.