Return-Path: <willtech@live.com.au>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 3E6B1DE1
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Nov 2019 17:03:08 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from APC01-SG2-obe.outbound.protection.outlook.com
	(mail-oln040092253046.outbound.protection.outlook.com [40.92.253.46])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 80B388A7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Nov 2019 17:03:06 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=gowqcP0L3c79yg9pl6l628cZEN6G5Ec6r9jliM39+9PROgJX+pv1+tjH6hS74SYhJMlxh7Wyr1y/z57Qb+vELG7ffZsggISfkmzAzhMCSPaH7eXwFoyXv0uj0eaFITt5Bufg9Fl6vCqs4Vj4b3kAKbXj0wsv8zD10PA3LPwgQbG5Ph1ecAF0BvDuOPAD4l5h08RStRzc/PMWrOaYqRf5uP3mtHBC9kKNBVi4231q5H1NLeC6C9PC1TQIegNQcIB09BDhQ2rpU5GVCyE7zI0ENg+TwpQJe0tnKAzFCDR1C9bDMtd2qDFuryxvl4N999rFi3kIeoLbG3wQpkFw7EVX+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=LL4cvGzJGV28wd/qBznJUB1JrHZqqH6nG4Lds1/SqQs=;
	b=FxWesMJ/0ycUE3Y2Kf6hnznSfTMBLwPX8X6w+cmMn2t05YETLGlZ9iRvgWho681gIFjIbbYBnwvwai5Q9+H+mhGanJKmyzgz8a372XapTI6MssmBm11RUOhF6W8xrtplGJABYPK163c4juisddc9dGVNqU72e7WWgCbug3rrHkHA9JhJR2kAdSnLBtBYmR+Sq0uOrHh2G8Tiai5XCPJch4lyDGa447ZJXJYhi3Hit59zHxxenL6A661VtsCSwNJLe32MvZHa10DiyunfFOGE37EwfeDxLxqZG+smVKcYZDl2mI2ilDYjVm3WifpFtyrD+0JIg4n9gfL8cUKEES2hvQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
	dkim=none; arc=none
Received: from HK2APC01FT007.eop-APC01.prod.protection.outlook.com
	(10.152.248.53) by HK2APC01HT050.eop-APC01.prod.protection.outlook.com
	(10.152.249.154) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2387.20;
	Fri, 8 Nov 2019 17:03:03 +0000
Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.53) by
	HK2APC01FT007.mail.protection.outlook.com (10.152.248.139) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
	15.20.2430.22 via Frontend Transport; Fri, 8 Nov 2019 17:03:03 +0000
Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM
	([fe80::8894:14d9:68de:ed5d]) by PS2P216MB0179.KORP216.PROD.OUTLOOK.COM
	([fe80::8894:14d9:68de:ed5d%9]) with mapi id 15.20.2430.023;
	Fri, 8 Nov 2019 17:03:02 +0000
From: LORD HIS EXCELLENCY JAMES HRMH <willtech@live.com.au>
To: "bitcoin-dev@lists.linuxfoundation.org"
	<bitcoin-dev@lists.linuxfoundation.org>, Luke Dashjr <luke@dashjr.org>
Thread-Topic: [bitcoin-dev] CVE-2017-18350 disclosure
Thread-Index: AQHVlkaaXgRpxKzPmU+nxC4DtZO4gaeBfz1g
Date: Fri, 8 Nov 2019 17:03:02 +0000
Message-ID: <PS2P216MB0179D441FBC93122CDE5354D9D7B0@PS2P216MB0179.KORP216.PROD.OUTLOOK.COM>
References: <201911081507.40441.luke@dashjr.org>
In-Reply-To: <201911081507.40441.luke@dashjr.org>
Accept-Language: en-AU, en-US
Content-Language: en-AU
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-incomingtopheadermarker: OriginalChecksum:747DA4E3BC5F5FD0C6A27FEFB1FDE58EE92D3943D3ECED1720A3E57065275F38;
	UpperCasedChecksum:0F711CE57C2B77E747599C5F8CFDEA21868CD281B942E809E6F507F1E738E893;
	SizeAsReceived:6995; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [kXk6HFxgTH5WQBVfX7H826xw6iOXVb0w]
x-ms-publictraffictype: Email
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 8f2677f1-d818-45d8-9e24-08d7646d842c
x-ms-traffictypediagnostic: HK2APC01HT050:
x-ms-exchange-purlcount: 2
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZzgLzAw1v5safSngeLaE8y9TEngVpNoyF/E9dXjUKW2Gzpwe6ic4pZNEoMkdHQt3AbLDPKG+xTLYZp4PMKNxkelKsascRAuvRqtm2h3/6+FxBv0HA9lpUQyPsjlfreIA+hZS6JIuX8G+lBL9Mr8kry5zSy2IFXL4DyRlPtFxScmUcQxbDrtAj2C9EBUhaEVKId/KBRgETgbFKi/Rf7qspV/Q40Sbq6hV59aAtYHiOOs=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative;
	boundary="_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f2677f1-d818-45d8-9e24-08d7646d842c
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2019 17:03:02.6624 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT050
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 08 Nov 2019 17:06:49 +0000
Cc: "security@bitcoincore.org" <security@bitcoincore.org>
Subject: Re: [bitcoin-dev] CVE-2017-18350 disclosure
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 17:03:08 -0000

--_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

It goes without saying in that all privately known CVE should be handled so=
 professionally but, that is, well done team.

Regards,
LORD HIS EXCELLENCY JAMES HRMH


________________________________
From: bitcoin-dev-bounces@lists.linuxfoundation.org <bitcoin-dev-bounces@li=
sts.linuxfoundation.org> on behalf of Luke Dashjr via bitcoin-dev <bitcoin-=
dev@lists.linuxfoundation.org>
Sent: Saturday, 9 November 2019 2:07 AM
To: bitcoin-dev@lists.linuxfoundation.org <bitcoin-dev@lists.linuxfoundatio=
n.org>
Cc: security@bitcoincore.org <security@bitcoincore.org>
Subject: [bitcoin-dev] CVE-2017-18350 disclosure

CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious
SOCKS proxy server to overwrite the program stack on systems with a signed
`char` type (including common 32-bit and 64-bit x86 PCs).

The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a=
5
(SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 2=
7.
A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 ("Improve and
document SOCKS code") released in v0.15.1, 2017 Nov 6.

To be vulnerable, the node must be configured to use such a malicious proxy=
 in
the first place. Note that using *any* proxy over an insecure network (such
as the Internet) is potentially a vulnerability since the connection could =
be
intercepted for such a purpose.

Upon a connection request from the node, the malicious proxy would respond
with an acknowledgement of a different target domain name than the one
requested. Normally this acknowledgement is entirely ignored, but if the
length uses the high bit (ie, a length 128-255 inclusive), it will be
interpreted by vulnerable versions as a negative number instead. When the
negative number is passed to the recv() system call to read the domain name=
,
it is converted back to an unsigned/positive number, but at a much wider si=
ze
(typically 32-bit), resulting in an effectively infinite read into and beyo=
nd
the 256-byte dummy stack buffer.

To fix this vulnerability, the dummy buffer was changed to an explicitly
unsigned data type, avoiding the conversion to/from a negative number.

Credit goes to practicalswift (https://twitter.com/practicalswift) for
discovering and providing the initial fix for the vulnerability, and Wladim=
ir
J. van der Laan for a disguised version of the fix as well as general clean=
up
to the at-risk code.

Timeline:
- 2012-04-01: Vulnerability introduced in PR #1141.
- 2012-05-08: Vulnerability merged to master git repository.
- 2012-08-27: Vulnerability published in v0.7.0rc1.
- 2012-09-17: Vulnerability released in v0.7.0.
...
- 2017-09-21: practicalswift discloses vulnerability to security team.
- 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability.
- 2017-09-27: Fix merged to master git repository.
- 2017-10-18: Fix merged to 0.15 git repository.
- 2017-11-04: Fix published in v0.15.1rc1.
- 2017-11-09: Fix released in v0.15.1.
...
- 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML.
- 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML.
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

--_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;=
 color: rgb(0, 0, 0);">
It goes without saying in that all privately known CVE should be handled so=
 professionally but, that is, well done team.<br>
</div>
<div style=3D"font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;=
 color: rgb(0, 0, 0);">
<br>
</div>
<div id=3D"Signature">
<div></div>
<div></div>
<div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col=
or:rgb(0,0,0)">
Regards,</div>
<div style=3D"font-family:Calibri,Helvetica,sans-serif; font-size:12pt; col=
or:rgb(0,0,0)">
LORD HIS EXCELLENCY JAMES HRMH<br>
</div>
<br>
<br>
<div>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font style=3D"font-size:11pt" face=
=3D"Calibri, sans-serif" color=3D"#000000"><b>From:</b> bitcoin-dev-bounces=
@lists.linuxfoundation.org &lt;bitcoin-dev-bounces@lists.linuxfoundation.or=
g&gt; on behalf of Luke Dashjr via bitcoin-dev &lt;bitcoin-dev@lists.linuxf=
oundation.org&gt;<br>
<b>Sent:</b> Saturday, 9 November 2019 2:07 AM<br>
<b>To:</b> bitcoin-dev@lists.linuxfoundation.org &lt;bitcoin-dev@lists.linu=
xfoundation.org&gt;<br>
<b>Cc:</b> security@bitcoincore.org &lt;security@bitcoincore.org&gt;<br>
<b>Subject:</b> [bitcoin-dev] CVE-2017-18350 disclosure</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"=
>
<div class=3D"PlainText">CVE-2017-18350 is a buffer overflow vulnerability =
which allows a malicious
<br>
SOCKS proxy server to overwrite the program stack on systems with a signed =
<br>
`char` type (including common 32-bit and 64-bit x86 PCs).<br>
<br>
The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a=
5 <br>
(SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 2=
7.<br>
A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 (&quot;Improve=
 and <br>
document SOCKS code&quot;) released in v0.15.1, 2017 Nov 6.<br>
<br>
To be vulnerable, the node must be configured to use such a malicious proxy=
 in <br>
the first place. Note that using *any* proxy over an insecure network (such=
 <br>
as the Internet) is potentially a vulnerability since the connection could =
be <br>
intercepted for such a purpose.<br>
<br>
Upon a connection request from the node, the malicious proxy would respond =
<br>
with an acknowledgement of a different target domain name than the one<br>
requested. Normally this acknowledgement is entirely ignored, but if the <b=
r>
length uses the high bit (ie, a length 128-255 inclusive), it will be <br>
interpreted by vulnerable versions as a negative number instead. When the <=
br>
negative number is passed to the recv() system call to read the domain name=
, <br>
it is converted back to an unsigned/positive number, but at a much wider si=
ze <br>
(typically 32-bit), resulting in an effectively infinite read into and beyo=
nd <br>
the 256-byte dummy stack buffer.<br>
<br>
To fix this vulnerability, the dummy buffer was changed to an explicitly <b=
r>
unsigned data type, avoiding the conversion to/from a negative number.<br>
<br>
Credit goes to practicalswift (<a href=3D"https://twitter.com/practicalswif=
t">https://twitter.com/practicalswift</a>) for
<br>
discovering and providing the initial fix for the vulnerability, and Wladim=
ir <br>
J. van der Laan for a disguised version of the fix as well as general clean=
up <br>
to the at-risk code.<br>
<br>
Timeline:<br>
- 2012-04-01: Vulnerability introduced in PR #1141.<br>
- 2012-05-08: Vulnerability merged to master git repository.<br>
- 2012-08-27: Vulnerability published in v0.7.0rc1.<br>
- 2012-09-17: Vulnerability released in v0.7.0.<br>
...<br>
- 2017-09-21: practicalswift discloses vulnerability to security team.<br>
- 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability.<br>
- 2017-09-27: Fix merged to master git repository.<br>
- 2017-10-18: Fix merged to 0.15 git repository.<br>
- 2017-11-04: Fix published in v0.15.1rc1.<br>
- 2017-11-09: Fix released in v0.15.1.<br>
...<br>
- 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML.<br>
- 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML.<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
bitcoin-dev@lists.linuxfoundation.org<br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">=
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
</div>
</span></font></div>
</div>
</div>
</body>
</html>

--_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_--