-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update module github.com/btcsuite/btcd to v0.24.2 [security] #2332
fix(deps): update module github.com/btcsuite/btcd to v0.24.2 [security] #2332
Conversation
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Coverage from tests in coverage: 55.4% of statements across all listed packagescoverage: 68.4% of statements in consensus/istanbul coverage: 63.6% of statements in consensus/istanbul/announce coverage: 57.5% of statements in consensus/istanbul/backend coverage: 0.0% of statements in consensus/istanbul/backend/backendtest coverage: 24.3% of statements in consensus/istanbul/backend/internal/replica coverage: 66.5% of statements in consensus/istanbul/core coverage: 50.0% of statements in consensus/istanbul/db coverage: 0.0% of statements in consensus/istanbul/proxy coverage: 64.2% of statements in consensus/istanbul/uptime coverage: 52.4% of statements in consensus/istanbul/validator coverage: 79.2% of statements in consensus/istanbul/validator/random |
|
9283f30
to
14179c1
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
14179c1
to
9043267
Compare
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update ( If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
v0.24.0
->v0.24.2
GitHub Vulnerability Alerts
CVE-2024-38365
Impact
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This
logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).
This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin
transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.
FindAndDelete
vs.removeOpcodeByData
removeOpcodeByData(script []byte, dataToRemove []byte)
removes any data pushes fromscript
that containdataToRemove
. However,FindAndDelete
only removes exact matches. So for example, withscript = "<data> <data||foo>"
anddataToRemove = "data"
btcd will remove both data pushes but Bitcoin Core'sFindAndDelete
only removes the first<data>
push.Patches
This has been patched in
btcd
version v0.24.2-beta.References
FindAndDelete
: GHSA-27vh-h6mc-q6g8btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality
CVE-2024-38365 / GHSA-27vh-h6mc-q6g8 / GO-2024-3189
More information
Details
Impact
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This
logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).
This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin
transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.
FindAndDelete
vs.removeOpcodeByData
removeOpcodeByData(script []byte, dataToRemove []byte)
removes any data pushes fromscript
that containdataToRemove
. However,FindAndDelete
only removes exact matches. So for example, withscript = "<data> <data||foo>"
anddataToRemove = "data"
btcd will remove both data pushes but Bitcoin Core'sFindAndDelete
only removes the first<data>
push.Patches
This has been patched in
btcd
version v0.24.2-beta.References
FindAndDelete
: GHSA-27vh-h6mc-q6g8Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Consensus failure in github.com/btcsuite/btcd
CVE-2024-38365 / GHSA-27vh-h6mc-q6g8 / GO-2024-3189
More information
Details
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
btcsuite/btcd (github.com/btcsuite/btcd)
v0.24.2
Compare Source
This release includes important bug fixes related to subtle interactions related to re-orgs and the UTXO set cache. These fixed are considered security critical.
This release also includes implementations of
invalidateblock
andreconsiderblock
which can be useful in helping nodes that were afflicted by the aforementioned bugs to recover without needing to resync the entire chain.WIth this release,
btcd
now also implements thetestmempoolaccept
RPC which can be useful to check a transaction candidate for validity from a policy and conflict perspective before broadcasting. Along the way, we've added some additional policy checks that exist in other Bitcoin full node implementations.This release also contains fixes to some parsing issues discovered via fuzz testing.
Finally, as mentioned above release includes important security fixes, with full details to be disclosed in 90 days.
What's Changed
testmempoolaccept
for bothbitcoind
andbtcd
by @yyforyongyu in https://github.com/btcsuite/btcd/pull/2053make help
to display the usage for project Makefile by @Halimao in https://github.com/btcsuite/btcd/pull/2107gettxspendingprevout
forbtcd
and fix version check by @yyforyongyu in https://github.com/btcsuite/btcd/pull/2125witnessToHex
into a methodToHexStrings
onTxWitness
by @ffranr in https://github.com/btcsuite/btcd/pull/1991AgentWhitelist
by @youngjoon-lee in https://github.com/btcsuite/btcd/pull/2140New Contributors
Full Changelog: btcsuite/btcd@v0.24.0...v0.24.2
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.