1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
Return-Path: <alicexbt@protonmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id B62F9C002A
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:46:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 86EFC409EA
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:46:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 86EFC409EA
Authentication-Results: smtp4.osuosl.org;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.a=rsa-sha256 header.s=protonmail3 header.b=lnR4ZEI7
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ipClzpvfLPLU
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:46:14 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org DFDF240998
Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch
[185.70.40.132])
by smtp4.osuosl.org (Postfix) with ESMTPS id DFDF240998
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:46:13 +0000 (UTC)
Date: Tue, 23 May 2023 16:45:58 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1684860370; x=1685119570;
bh=MJKrvRVO4x+/1GI7pulCs20bWMnY4S0w4nzhRNme4zI=;
h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector;
b=lnR4ZEI7F2ipCrjq+QT8dHBFjF4OMpnROr0S/vre+EqwmjKyyYan5TbeknGJ+dbLs
aj01Stqs1R/y41g2k037OOqe/7u5fY62LHQvVxqcLUzAY+KcRndnklPKiywzOuOk8D
zwkgLoIeQbNZ328+VvUkbzYc/WTHzATXrL8/mA0N+x0ygc05c6MnBxCcR/gkIIPmTJ
6so1jBn9T1XGSv+pZVveiyjY8jLy5zqE+kuax+ZqM+ttFV36DHCg0shScHTs6Sv8kT
Tp4J03GQu2NJT6zG+E/shcuDupA3EOVCK9F31oJeKzGP+I8TholV48vkl6TFFbZv4o
h7SoQNPZo3R9w==
To: Michael Folkson <michaelfolkson@protonmail.com>
From: alicexbt <alicexbt@protonmail.com>
Message-ID: <a7Lo31vAM-OXFhdLP0IcKI8ps5ceW2Q32s33MI9ASxERoJLsudaRSKFGz2SVItY9_J1dRrghP6pDXCc86JeDeUaodN4V8Q_H3iZxqN96MLk=@protonmail.com>
In-Reply-To: <ZK1WioZUQp4XKBw9a8RxvLRRtlxsnQ8NoZ5SPIbcMVqeW3D9bpnLeJF2V4L68jz3QVaaqYiBbo46Rxobs8hZ9LfK3Jxibi1HHKBgQiqbCUs=@protonmail.com>
References: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com>
<I_QFh8MNIEz819n0dEitgXPmS5jfrYkOxTZoo211l1grYmW3yrDYxkso9XSrqLS26WJVXj0LAIpYe77DwWs7sXClVjz_Oz-lQiOV3Hn1U2Y=@protonmail.com>
<k95MsgwJmus2shEQ3XcON4sPN2jpvN0NOiVuIUk27H-gQno3iH4XEMH_nyaKzUuCM8KKt63qM8cph6Eai7fCgWRxfTdYnKdfVw0i2NZTTf0=@protonmail.com>
<v7cGm-OTbNjvVuGJ8xMe1pOiBwVH1BZkJMS6DjcK5j9kMHmeCRhKrpbglugLPjyUQmDSzIXNxGz4k-kK4sjkIHgWrbaiO_93qauVKSJzZmY=@protonmail.com>
<yCRGs9ve5782SDi1mdGMA1x1jOeJzBkfsWJxtFD3gcrPHI7WW2Ah3Qn9_Z1f17pGFAfC4DIx8fnLUMggrRdq0kfYRlJxpgLt_qJ7wSVC9t0=@protonmail.com>
<ZK1WioZUQp4XKBw9a8RxvLRRtlxsnQ8NoZ5SPIbcMVqeW3D9bpnLeJF2V4L68jz3QVaaqYiBbo46Rxobs8hZ9LfK3Jxibi1HHKBgQiqbCUs=@protonmail.com>
Feedback-ID: 40602938:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 23 May 2023 17:09:56 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 16:46:15 -0000
Hi Michael,
Yes, I had requested CVE ID after v24.1 was released as Anthony Towns being=
the discoverer.
I would follow the process shared here: https://github.com/bitcoin/bitcoin/=
blob/master/SECURITY.md when bitcoin core developers do not disclose vulner=
abilities publicly as GitHub issues which are read by everyone including 3 =
letter agencies. I don't think there was anything left in the issue after d=
iscussing it for days for me to add anything new. I was clear about some th=
ings the moment I read the issue and its one of the reasons I created this =
thread on May 9 (public) about a public GitHub issue after following it for=
a few days.
It would still qualify as a vulnerability if it only affected debug builds.
> You weren't particularly clear with what has occurred.
It would be better we have less assumptions about such things.
/dev/fd0
floppy disk guy
Sent with Proton Mail secure email.
------- Original Message -------
On Tuesday, May 23rd, 2023 at 9:47 PM, Michael Folkson <michaelfolkson@prot=
onmail.com> wrote:
> Hi alicexbt
>=20
> > It has been assigned CVE-2023-33297
>=20
>=20
> Did you personally request the CVE ID? Say via here [0]? Did you confirm =
with someone listed on the vulnerability reporting process [1] for Bitcoin =
Core that it made sense to do that at this time? I'm not sure whether compl=
etely bypassing that list and requesting CVE IDs for the project as an indi=
vidual is the way to go. If you have already contacted one of them and they=
've given you the go ahead to start the CVE process then fine. You weren't =
particularly clear with what has occurred.
>=20
> Thanks
> Michael
>=20
> [0]: https://cve.mitre.org/cve/request_id.html
> [1]: https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md
>=20
> --
> Michael Folkson
> Email: michaelfolkson at protonmail.com
> GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
>=20
>=20
> Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
>=20
>=20
> ------- Original Message -------
> On Monday, May 22nd, 2023 at 13:56, alicexbt alicexbt@protonmail.com wrot=
e:
>=20
>=20
>=20
> > Hi Michael,
> >=20
> > > Now that's not to say you may not have a point about better documenta=
tion and guidance on what should go through the vulnerability reporting pro=
cess and what shouldn't.
> >=20
> > Yes, this can be improved.
> >=20
> > > Or even that this particular issue could ultimately end up being clas=
sed a CVE.
> >=20
> > It has been assigned CVE-2023-33297
> >=20
> > /dev/fd0
> > floppy disk guy
> >=20
> > Sent with Proton Mail secure email.
> >=20
> > ------- Original Message -------
> > On Wednesday, May 17th, 2023 at 6:14 PM, Michael Folkson michaelfolkson=
@protonmail.com wrote:
> >=20
> > > Hi alicexbt
> > >=20
> > > "Open source" has the word "open" in it. Pushing everything into clos=
ed, private channels of communication and select groups of individuals is w=
hat I've been trying to push back upon. As I said in my initial response "i=
t doesn't scale for all bug reports and investigations to go through this t=
iny funnel" though "there are clearly examples where the process is critica=
lly needed".
> > >=20
> > > Now that's not to say you may not have a point about better documenta=
tion and guidance on what should go through the vulnerability reporting pro=
cess and what shouldn't. Or even that this particular issue could ultimatel=
y end up being classed a CVE. But rather than merely complaining and puttin=
g "open source" into quote marks perhaps suggest what class of bug reports =
should go through the tiny funnel and what shouldn't. Unless you think ever=
ything should go through the funnel in which case you are advocating for le=
ss openness whilst simultaneously complaining it isn't "open source". Squar=
e that circle.
> > >=20
> > > Thanks
> > > Michael
> > >=20
> > > --
> > > Michael Folkson
> > > Email: michaelfolkson at protonmail.com
> > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
> > >=20
> > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
> > >=20
> > > ------- Original Message -------
> > > On Tuesday, May 16th, 2023 at 23:39, alicexbt alicexbt@protonmail.com=
wrote:
> > >=20
> > > > Hi Michael,
> > > >=20
> > > > A disagreement and some thoughts already shared in an email althoug=
h its not clear to some "open source" devs:
> > > >=20
> > > > Impact of this vulnerability:
> > > >=20
> > > > - Denial of Service
> > > > - Stale blocks affecting mining pool revenue
> > > >=20
> > > > Why it should have been reported privately to security@bitcoincore.=
org, even if initially found affecting only debug build?
> > > >=20
> > > > Example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-=
3129
> > > >=20
> > > > CVE is a different process and I am aware of it. It would be good f=
or certain developers in the core team to reflect on their own approach to =
security, regardless of whether their work receives CVE recognition or not.
> > > >=20
> > > > /dev/fd0
> > > > floppy disk guy
> > > >=20
> > > > Sent with Proton Mail secure email.
> > > >=20
> > > > ------- Original Message -------
> > > > On Friday, May 12th, 2023 at 1:14 AM, Michael Folkson michaelfolkso=
n@protonmail.com wrote:
> > > >=20
> > > > > Hi alicexbt
> > > > >=20
> > > > > The vulnerability reporting process requires communication and re=
solution via a small group of individuals 0 rather than through open collab=
oration between any contributors on the repo. There are clearly examples wh=
ere the process is critically needed, the most obvious past example being t=
he 2018 inflation bug 1. However, it doesn't scale for all bug reports and =
investigations to go through this tiny funnel. For an issue that isn't goin=
g to result in loss of onchain funds and doesn't seem to present a systemic=
issue (e.g. network DoS attack, inflation bug) I'm of the view that openin=
g a public issue was appropriate in this case especially as the issue initi=
ally assumed it was only impacting nodes running in debug mode (not a mode =
a node in production is likely to be running in).
> > > > >=20
> > > > > An interesting question though and I'm certainly happy to be corr=
ected by those who have been investigating the issue. Some delicate trade-o=
ffs involved including understanding and resolving the issue faster through=
wider collaboration versus keeping knowledge of the issue within a smaller=
group.
> > > > >=20
> > > > > Thanks
> > > > > Michael
> > > > >=20
> > > > > --
> > > > > Michael Folkson
> > > > > Email: michaelfolkson at protonmail.com
> > > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
> > > > >=20
> > > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
> > > > >=20
> > > > > ------- Original Message -------
> > > > > On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev bitc=
oin-dev@lists.linuxfoundation.org wrote:
> > > > >=20
> > > > > > Hi Bitcoin Developers,
> > > > > >=20
> > > > > > There is an open issue in bitcoin core repository which was cre=
ated last week: https://github.com/bitcoin/bitcoin/issues/27586
> > > > > >=20
> > > > > > I think this should have been reported privately as vulnerabili=
ty instead of creating a GitHub issue even if it worked only in debug mode.=
Some users in the comments have also experienced similar issues without de=
bug build used for bitcoind. I have not noticed any decline in the number o=
f listening nodes on bitnodes.io in last 24 hours so I am assuming this is =
not an issue with majority of bitcoin core nodes. However, things could hav=
e been worse and there is nothing wrong in reporting something privately if=
there is even 1% possibility of it being a vulnerability. I had recently r=
eported something to LND security team based on a closed issue on GitHub wh=
ich eventually was not considered a vulnerability: https://github.com/light=
ningnetwork/lnd/issues/7449
> > > > > >=20
> > > > > > In the CPU usage issue, maybe the users can run bitcoind with b=
igger mempool or try other things shared in the issue by everyone.
> > > > > >=20
> > > > > > This isn't the first time either when vulnerability was reporte=
d publicly: https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9 a=
nd this was even exploited on mainnet which affected some projects.
> > > > > >=20
> > > > > > This email is just a request to consider the impact of any vuln=
erability if gets exploited could affect lot of things. Even the projects w=
ith no financial activity involved follow better practices.
> > > > > >=20
> > > > > > /dev/fd0
> > > > > > floppy disk guy
> > > > > >=20
> > > > > > Sent with Proton Mail secure email.
|