[Pkg-bitcoin-devel] Bug#705265: CVE-2013-2293 Remote DOS vulnerability in CTransaction::FetchInputs
Petter Reinholdtsen
pere at hungry.com
Fri Apr 12 08:34:15 UTC 2013
Package: bitcoind, bitcoin-qt
Version: 0.3.24
I found this via
<URL: https://security-tracker.debian.org/tracker/CVE-2013-2293 >,
and report it here to make sure the package maintainers are aware of the
issue, and to get a place to track its status in Debian. It is one of
four open CVEs listed in the security tracker. Setting the version
found to the one in the stable backport archive. The issue should also
be present in the package available in unstable (0.7.2).
This is the problem description:
The CTransaction::FetchInputs method in bitcoind and Bitcoin-Qt before
0.8.0rc1 copies transactions from disk to memory without incrementally
checking for spent prevouts, which allows remote attackers to cause a
denial of service (disk I/O consumption) via a Bitcoin transaction
with many inputs corresponding to many different parts of the stored
block chain.
I expect the issue is fixed in 0.8.1 in experimental.
--
Happy hacking
Petter Reinholdtsen
More information about the Pkg-bitcoin-devel
mailing list