[Pkg-bitcoin-devel] Bug#705266: CVE-2013-2272 remotely triggered info leak (IP address) via series of large transactions
Petter Reinholdtsen
pere at hungry.com
Fri Apr 12 08:42:01 UTC 2013
Package: bitcoind, bitcoin-qt
Version: 0.3.24
Severity: serious
Tags: security
I found this via
<URL: https://security-tracker.debian.org/tracker/CVE-2013-2272 >, and
report it here to make sure the package maintainers are aware of the
issue, and to get a place to track its status in Debian. It is one of
four open CVEs listed in the security tracker. Setting the version
found to the one in the stable backport archive. The issue should also
be present in the package available in unstable (0.7.2).
This is the problem description:
The penny-flooding protection mechanism in the CTxMemPool::accept
method in bitcoind and Bitcoin-Qt before 0.4.9rc1, 0.5.x before
0.5.8rc1, 0.6.0 before 0.6.0.11rc1, 0.6.1 through 0.6.5 before
0.6.5rc1, and 0.7.x before 0.7.3rc1 allows remote attackers to
determine associations between wallet addresses and IP addresses via a
series of large Bitcoin transactions with insufficient fees.
I expect the issue is fixed in 0.8.1 in experimental.
--
Happy hacking
Petter Reinholdtsen
More information about the Pkg-bitcoin-devel
mailing list