Return-Path: <willtech@live.com.au> Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3E6B1DE1 for <bitcoin-dev@lists.linuxfoundation.org>; Fri, 8 Nov 2019 17:03:08 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253046.outbound.protection.outlook.com [40.92.253.46]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 80B388A7 for <bitcoin-dev@lists.linuxfoundation.org>; Fri, 8 Nov 2019 17:03:06 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gowqcP0L3c79yg9pl6l628cZEN6G5Ec6r9jliM39+9PROgJX+pv1+tjH6hS74SYhJMlxh7Wyr1y/z57Qb+vELG7ffZsggISfkmzAzhMCSPaH7eXwFoyXv0uj0eaFITt5Bufg9Fl6vCqs4Vj4b3kAKbXj0wsv8zD10PA3LPwgQbG5Ph1ecAF0BvDuOPAD4l5h08RStRzc/PMWrOaYqRf5uP3mtHBC9kKNBVi4231q5H1NLeC6C9PC1TQIegNQcIB09BDhQ2rpU5GVCyE7zI0ENg+TwpQJe0tnKAzFCDR1C9bDMtd2qDFuryxvl4N999rFi3kIeoLbG3wQpkFw7EVX+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LL4cvGzJGV28wd/qBznJUB1JrHZqqH6nG4Lds1/SqQs=; b=FxWesMJ/0ycUE3Y2Kf6hnznSfTMBLwPX8X6w+cmMn2t05YETLGlZ9iRvgWho681gIFjIbbYBnwvwai5Q9+H+mhGanJKmyzgz8a372XapTI6MssmBm11RUOhF6W8xrtplGJABYPK163c4juisddc9dGVNqU72e7WWgCbug3rrHkHA9JhJR2kAdSnLBtBYmR+Sq0uOrHh2G8Tiai5XCPJch4lyDGa447ZJXJYhi3Hit59zHxxenL6A661VtsCSwNJLe32MvZHa10DiyunfFOGE37EwfeDxLxqZG+smVKcYZDl2mI2ilDYjVm3WifpFtyrD+0JIg4n9gfL8cUKEES2hvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from HK2APC01FT007.eop-APC01.prod.protection.outlook.com (10.152.248.53) by HK2APC01HT050.eop-APC01.prod.protection.outlook.com (10.152.249.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2387.20; Fri, 8 Nov 2019 17:03:03 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.53) by HK2APC01FT007.mail.protection.outlook.com (10.152.248.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2430.22 via Frontend Transport; Fri, 8 Nov 2019 17:03:03 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([fe80::8894:14d9:68de:ed5d]) by PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([fe80::8894:14d9:68de:ed5d%9]) with mapi id 15.20.2430.023; Fri, 8 Nov 2019 17:03:02 +0000 From: LORD HIS EXCELLENCY JAMES HRMH <willtech@live.com.au> To: "bitcoin-dev@lists.linuxfoundation.org" <bitcoin-dev@lists.linuxfoundation.org>, Luke Dashjr <luke@dashjr.org> Thread-Topic: [bitcoin-dev] CVE-2017-18350 disclosure Thread-Index: AQHVlkaaXgRpxKzPmU+nxC4DtZO4gaeBfz1g Date: Fri, 8 Nov 2019 17:03:02 +0000 Message-ID: <PS2P216MB0179D441FBC93122CDE5354D9D7B0@PS2P216MB0179.KORP216.PROD.OUTLOOK.COM> References: <201911081507.40441.luke@dashjr.org> In-Reply-To: <201911081507.40441.luke@dashjr.org> Accept-Language: en-AU, en-US Content-Language: en-AU X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:747DA4E3BC5F5FD0C6A27FEFB1FDE58EE92D3943D3ECED1720A3E57065275F38; UpperCasedChecksum:0F711CE57C2B77E747599C5F8CFDEA21868CD281B942E809E6F507F1E738E893; SizeAsReceived:6995; Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [kXk6HFxgTH5WQBVfX7H826xw6iOXVb0w] x-ms-publictraffictype: Email x-incomingheadercount: 46 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 8f2677f1-d818-45d8-9e24-08d7646d842c x-ms-traffictypediagnostic: HK2APC01HT050: x-ms-exchange-purlcount: 2 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ZzgLzAw1v5safSngeLaE8y9TEngVpNoyF/E9dXjUKW2Gzpwe6ic4pZNEoMkdHQt3AbLDPKG+xTLYZp4PMKNxkelKsascRAuvRqtm2h3/6+FxBv0HA9lpUQyPsjlfreIA+hZS6JIuX8G+lBL9Mr8kry5zSy2IFXL4DyRlPtFxScmUcQxbDrtAj2C9EBUhaEVKId/KBRgETgbFKi/Rf7qspV/Q40Sbq6hV59aAtYHiOOs= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 8f2677f1-d818-45d8-9e24-08d7646d842c X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2019 17:03:02.6624 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT050 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Nov 2019 17:06:49 +0000 Cc: "security@bitcoincore.org" <security@bitcoincore.org> Subject: Re: [bitcoin-dev] CVE-2017-18350 disclosure X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Fri, 08 Nov 2019 17:03:08 -0000 --_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable It goes without saying in that all privately known CVE should be handled so= professionally but, that is, well done team. Regards, LORD HIS EXCELLENCY JAMES HRMH ________________________________ From: bitcoin-dev-bounces@lists.linuxfoundation.org <bitcoin-dev-bounces@li= sts.linuxfoundation.org> on behalf of Luke Dashjr via bitcoin-dev <bitcoin-= dev@lists.linuxfoundation.org> Sent: Saturday, 9 November 2019 2:07 AM To: bitcoin-dev@lists.linuxfoundation.org <bitcoin-dev@lists.linuxfoundatio= n.org> Cc: security@bitcoincore.org <security@bitcoincore.org> Subject: [bitcoin-dev] CVE-2017-18350 disclosure CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious SOCKS proxy server to overwrite the program stack on systems with a signed `char` type (including common 32-bit and 64-bit x86 PCs). The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a= 5 (SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 2= 7. A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 ("Improve and document SOCKS code") released in v0.15.1, 2017 Nov 6. To be vulnerable, the node must be configured to use such a malicious proxy= in the first place. Note that using *any* proxy over an insecure network (such as the Internet) is potentially a vulnerability since the connection could = be intercepted for such a purpose. Upon a connection request from the node, the malicious proxy would respond with an acknowledgement of a different target domain name than the one requested. Normally this acknowledgement is entirely ignored, but if the length uses the high bit (ie, a length 128-255 inclusive), it will be interpreted by vulnerable versions as a negative number instead. When the negative number is passed to the recv() system call to read the domain name= , it is converted back to an unsigned/positive number, but at a much wider si= ze (typically 32-bit), resulting in an effectively infinite read into and beyo= nd the 256-byte dummy stack buffer. To fix this vulnerability, the dummy buffer was changed to an explicitly unsigned data type, avoiding the conversion to/from a negative number. Credit goes to practicalswift (https://twitter.com/practicalswift) for discovering and providing the initial fix for the vulnerability, and Wladim= ir J. van der Laan for a disguised version of the fix as well as general clean= up to the at-risk code. Timeline: - 2012-04-01: Vulnerability introduced in PR #1141. - 2012-05-08: Vulnerability merged to master git repository. - 2012-08-27: Vulnerability published in v0.7.0rc1. - 2012-09-17: Vulnerability released in v0.7.0. ... - 2017-09-21: practicalswift discloses vulnerability to security team. - 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability. - 2017-09-27: Fix merged to master git repository. - 2017-10-18: Fix merged to 0.15 git repository. - 2017-11-04: Fix published in v0.15.1rc1. - 2017-11-09: Fix released in v0.15.1. ... - 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML. - 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= ttom:0;} </style> </head> <body dir=3D"ltr"> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> It goes without saying in that all privately known CVE should be handled so= professionally but, that is, well done team.<br> </div> <div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;= color: rgb(0, 0, 0);"> <br> </div> <div id=3D"Signature"> <div></div> <div></div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> Regards,</div> <div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col= or:rgb(0,0,0)"> LORD HIS EXCELLENCY JAMES HRMH<br> </div> <br> <br> <div> <hr tabindex=3D"-1" style=3D"display:inline-block; width:98%"> <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font style=3D"font-size:11pt" face= =3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b> bitcoin-dev-bounces= @lists.linuxfoundation.org <bitcoin-dev-bounces@lists.linuxfoundation.or= g> on behalf of Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxf= oundation.org><br> <b>Sent:</b> Saturday, 9 November 2019 2:07 AM<br> <b>To:</b> bitcoin-dev@lists.linuxfoundation.org <bitcoin-dev@lists.linu= xfoundation.org><br> <b>Cc:</b> security@bitcoincore.org <security@bitcoincore.org><br> <b>Subject:</b> [bitcoin-dev] CVE-2017-18350 disclosure</font> <div> </div> </div> <div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"= > <div class=3D"PlainText">CVE-2017-18350 is a buffer overflow vulnerability = which allows a malicious <br> SOCKS proxy server to overwrite the program stack on systems with a signed = <br> `char` type (including common 32-bit and 64-bit x86 PCs).<br> <br> The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a= 5 <br> (SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 2= 7.<br> A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 ("Improve= and <br> document SOCKS code") released in v0.15.1, 2017 Nov 6.<br> <br> To be vulnerable, the node must be configured to use such a malicious proxy= in <br> the first place. Note that using *any* proxy over an insecure network (such= <br> as the Internet) is potentially a vulnerability since the connection could = be <br> intercepted for such a purpose.<br> <br> Upon a connection request from the node, the malicious proxy would respond = <br> with an acknowledgement of a different target domain name than the one<br> requested. Normally this acknowledgement is entirely ignored, but if the <b= r> length uses the high bit (ie, a length 128-255 inclusive), it will be <br> interpreted by vulnerable versions as a negative number instead. When the <= br> negative number is passed to the recv() system call to read the domain name= , <br> it is converted back to an unsigned/positive number, but at a much wider si= ze <br> (typically 32-bit), resulting in an effectively infinite read into and beyo= nd <br> the 256-byte dummy stack buffer.<br> <br> To fix this vulnerability, the dummy buffer was changed to an explicitly <b= r> unsigned data type, avoiding the conversion to/from a negative number.<br> <br> Credit goes to practicalswift (<a href=3D"https://twitter.com/practicalswif= t">https://twitter.com/practicalswift</a>) for <br> discovering and providing the initial fix for the vulnerability, and Wladim= ir <br> J. van der Laan for a disguised version of the fix as well as general clean= up <br> to the at-risk code.<br> <br> Timeline:<br> - 2012-04-01: Vulnerability introduced in PR #1141.<br> - 2012-05-08: Vulnerability merged to master git repository.<br> - 2012-08-27: Vulnerability published in v0.7.0rc1.<br> - 2012-09-17: Vulnerability released in v0.7.0.<br> ...<br> - 2017-09-21: practicalswift discloses vulnerability to security team.<br> - 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability.<br> - 2017-09-27: Fix merged to master git repository.<br> - 2017-10-18: Fix merged to 0.15 git repository.<br> - 2017-11-04: Fix published in v0.15.1rc1.<br> - 2017-11-09: Fix released in v0.15.1.<br> ...<br> - 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML.<br> - 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML.<br> _______________________________________________<br> bitcoin-dev mailing list<br> bitcoin-dev@lists.linuxfoundation.org<br> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">= https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br> </div> </span></font></div> </div> </div> </body> </html> --_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_--