1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
Return-Path: <braydon@purse.io>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 45C78C0051
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 9 Sep 2020 13:33:45 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id 2E2CE86C8A
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 9 Sep 2020 13:33:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id pzLzYbFnqg6J
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 9 Sep 2020 13:33:43 +0000 (UTC)
X-Greylist: delayed 00:05:04 by SQLgrey-1.7.6
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
[209.85.210.177])
by whitealder.osuosl.org (Postfix) with ESMTPS id 854CC86C03
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 9 Sep 2020 13:33:43 +0000 (UTC)
Received: by mail-pf1-f177.google.com with SMTP id w7so2181564pfi.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 09 Sep 2020 06:33:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=purse.io; s=google;
h=to:from:autocrypt:subject:message-id:date:user-agent:mime-version
:content-transfer-encoding:content-language;
bh=L+dTE9QLhdsUIkfOSKRjyKgo86hs5+PTjJoHKqVVBb8=;
b=enywz/l7bXPcP4Q6cSq1sexGDMOdXdUN5Q5fxfysleM+VBLEv3Hr6W+VwyneEfFMvS
p1DlnSOSGqwTS1vXhq33rsdxS/n/n1ndWWqj5Hs7IZArhjarwI0C8fA4zItxKok2JC8M
OUMhcYyUSy53HnXo/1qJDaCpBFJCzyFVHwszA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:to:from:autocrypt:subject:message-id:date
:user-agent:mime-version:content-transfer-encoding:content-language;
bh=L+dTE9QLhdsUIkfOSKRjyKgo86hs5+PTjJoHKqVVBb8=;
b=I+sgH3iTYMOjZKBwYwvmoCR/MK25b9uD+GJ8HEHTwpKf1bZzb+7ccOYXbzmmDMJ5MW
6oL1gdjUVZiypp3DBXg7q6MT6bAucOtC9b9h2l+JDOEEUn9tw7DL98dRlRRAMJvwIjz7
wqG91zyVsNqfNJslyrMxbqbYjo/QfxaLPj3ZaX5ILfKb94T5Y+hegR8x2kPdd3vCg3Ow
rK5XZLMR8dB1qUZhbmX4QEatSsAB4Ooaini0hVZ+p9rd1bo9HzqpkGrj8nplEYsdK9qC
pVj0my5bsjUs/tTguDbWeEhwrgDeNigfLF74JHk36DqnJlK8I12E2ZLi56oDz56xPu8b
7rmg==
X-Gm-Message-State: AOAM530ZegSPbHgJJjT7lfifITpZFsIgurb25dDBYpqvyDluY3DTc8KM
+0zB2S5D3kpyLrKhKSrFv4yJcoDxNe6IDw==
X-Google-Smtp-Source: ABdhPJx7oVhv4kHk/oUHeMRw5bA0SHEAymrewCPllO7aOnBxTWT3lW3vPN7hVhT9pgZlt7pA+DIeJw==
X-Received: by 2002:a63:d409:: with SMTP id a9mr623035pgh.312.1599658119037;
Wed, 09 Sep 2020 06:28:39 -0700 (PDT)
Received: from [10.0.0.198] ([66.172.99.113])
by smtp.gmail.com with ESMTPSA id u14sm2981579pfc.203.2020.09.09.06.28.38
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 09 Sep 2020 06:28:38 -0700 (PDT)
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: Braydon Fuller <braydon@purse.io>
Autocrypt: addr=braydon@purse.io; keydata=
LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUlOQkZzRWthc0JFQUM0
b1BKUXNGV0FNME9qTkpsWVV4SmJUVjhibzFUZ1h3WmROWldld0c2ZnZRUStpR0dJCm15L2E1
aDEwLzlWKy9DdGlvOGF5QWZwazZWM3ovdnhxOElkUFZjc1djY0hMbmd1YUFFRWhZbktkR1pm
c29oY1EKTU80TFI2M1I2dlByVVlVSmVoVnp0MllaNUY0OTVpUkRLd2JRTFhibVhGOXZMdGFL
dWYvNmhiVm1sRzdiTTU5ZQpWS2N2cEU4RUttOTVMcHcrQ0JFM3VLYzNSeFRjS0hnbzZRcmtD
bG0xOUdORERrbUh4TS9rK2hHVDNNK3NYR2hnCnBMMjk0MEFHS3NYdVRQZ2hnTFErNXNlQld0
enVXVjMxVWYwbHRIeDZLczF3MG1sZ1paK3U0d2xsak1ISUJLTHIKNGNZRE9GOEFZeHlWY1B6
dVFMZFJqSUlLRWdwTURRVzdmdGJnR00vcWhnR2cybU4wMzZLVFVmVDFIa21UODJaMwpEM3o0
QUNKL2JZL0orbUp3MGJhcWNKcGV6bmRkMU02ZG5ETkY5U2xzdDJNcitMb2VKZE4xdFk1a2s2
L09Xd0FJCjVMMTVobWRpUldVQnJ5SnF1bjdzeTIzY21WUFNPcnRhSWZsNy9TRUZKK011WGJL
NTMrbUZHVDJQQ3BkUnpWNE0KcktyOXFiQmFYa2todkVmb0wyejZWd0lGQnBycVpqdGhQSGNI
UjhyNlFTVHBaZHNEKzcrcW9xMm80TURVcVA1NAo1YTNrR0kzbDZWVzc2N1ZFL05VSW9jeU83
WjlEL0VaT0NrMjJFbFRMVEN6V20wSnZ4eEdKb2FsZWJMUWNHZXkvCkE5V1dHT3YveWR3dlRy
eTNQV0F6cnJYTnQ0M01jSEh3WlhVNHZTTG5BdEF4UXkwNk50OXdzV28rMlFBUkFRQUIKdENG
Q2NtRjVaRzl1SUVaMWJHeGxjaUE4WW5KaGVXUnZia0J3ZFhKelpTNXBiejZKQWxRRUV3RUlB
RDRDR3dNRgpDd2tJQndJR0ZRZ0pDZ3NDQkJZQ0F3RUNIZ0VDRjRBRkNRVlp2cGdXSVFSYmZj
V05rUDdCNlpDakVMcnlUeU10CkVJczYxQVVDWG90VmJBQUtDUkR5VHlNdEVJczYxTVVJRC80
blpZN0lDeUhock1iNDNaOEcrVE45TzE1WlFON2sKWlNzZ2hWeWxpcW15cE1lNWFGOWNkbFUz
a1VkR1BEbUVuWjgweTc1bmZheXFpdlpCOG1HYXFJSTkycXVLNFJ2TQphc0kzdlQ5Rkl0Z2g4
Nkh6NWRHa1g4eGVEZms0SkNmWml0SUQydDJVdUR1Z3JGc2VFMVE4OTJsZ21NcGZQQ3VoCk5I
NWxDWnUzVjNnNFJDdlAxd1Jjd09XY0dXU0wwR0pvOHJrRS9tYzBKS0NGNDdwbDFFUWVRUVp5
czIxTHBOTnYKWmFMVHJoQUpPdDFIRXBheUlxdXFKTzA4TzBMZGErelF1Z2szV0hHWUNyeXlJ
ZFdiSWljdUFsbmowa0J1ajZKagpFdVphNFNRdE0wenF5QzNCbmIzdXBBSkNGOVdmL1lUcyts
cUJTNW96ekxkTXJRSlo5VTE4VmxUZCtZeU9icjFBCkY0UW5xT1g2aDJlNE02KzZuOWlIdU9o
eWlEdTI4cms2dU9sY1lOQTVXcm9mV0dFK1AyYS9zOExGOGxEZ1BtQlIKMjNmT0hrSmFtK2FB
U1R6VVVJSC9GM0NqbkhkTzU1cHJDWDRPOUJWc2FOR2J6WHRhMzFYVnZQbE1qQXpPc3ZWegpT
SitzUjRvMjkyVjE3THdkZU11OUFNK3c1YSt3Yk5kVnA2OEtmRnh2OTliaSs0QWgvNlVrQ2Js
dHdQWkJqVS9nClp1WGhXM2s0Z3J6a3pwdmd1U3JEU1NHNzdDNC9QTjB4aFFRMTVlaEdlQkNl
YWd2Ui9EZWxRQnkwMUYvTC9NV3EKSkJZTTVwN3ptR1htSlJXTWRNMDlDMThBc1NVZnMySWxl
dnN4a3RJWFQzSUFsVU9wdG14RlJTRWlLSERwNlJ2NgpweWM2TWJSWWZGN1BGYlFrUW5KaGVX
UnZiaUJHZFd4c1pYSWdQR052ZFhKcFpYSkFZbkpoZVdSdmJpNWpiMjArCmlRSllCQk1CQWdC
Q0Foc0RCZ3NKQ0FjREFnWVZDQUlKQ2dzRUZnSURBUUllQVFJWGdBVUpCVm0rbUJZaEJGdDkK
eFkyUS9zSHBrS01RdXZKUEl5MFFpenJVQlFKZWkxVnlBaGtCQUFvSkVQSlBJeTBRaXpyVTVJ
Y1AvMXVmOUlrQgpsd2h3TG5CUjQ2QkM5NTgyOVN3MnBzTTZYTDZ6OXIrVUtmUTFSdm9pTDQ5
V2FzU1Z6QUJGVjlnNVhRbllUajVVCkgrTnFTK29lTXlScTl0d1Avb3JFN2crVDRTNzRpaGFx
YzFhZTZmY3pNaDRIc3NkbmtyZ2FLbTVoRXEzQjh1V08KNzRSaHRJUnczUVpzM2lqSHoxU2w3
K1NzNklEOC9IbHFGRzNQaGhJQ2hFU2xna1gwQXlRSHV0ZkwzTmhGTFU5VAo1MU9RSFoyUTBG
NUo5cFgxY0JPSlR5WHNwUHppLzhUdWdWcHNqcC9LdVpWbjg2WjhIVksraFhIWCs5bVV0emZy
CnQweG91RGJRUHFlN1hRbDBJdnJpVVpaTWhFOXdOMEpMRHljTFhlLzl5RFppRGFsRUV0RENR
ZXBpcGx2STdMRlQKRGw3cHArU2xKQWFNMm9RbFRQUGg3a2M4ZThwWnNmQUo2clZKTTlheFUr
am0rNFRacFdSUm8rK3NIY00xY2VnZQo5MVI3VnRkREN6cGJRYys3Ymtpa3VHRk9sYkw5OFY5
U2daWVVxWkQrbkI0MC9xeldxQkM5RGU5YWdZWUMxaFhWCmo2YnUvTHhOV0NYZis2YnpKVWJN
aWZJc2JBNWhKZzRTbTlVTGFCV0M3eE1WUzFjSE9TSU9iaFl1aVU1Ny9HekkKRW5SMVo5YjU1
UHYwV3IwelJjRW9aM3dSUG5hMzZ4bHU5YXRiSXBuRFQ1VTNSclB1TTdXWWdnWEZaMDRkMm5F
TQpndnpYZk5BR2IvMG51K1kxZmwrbjJDYkJIenFleGFTckpYQUw3QjlBbmhock1ETGJxMk51
aVk0dnk5YWFDTFZFCnZvcWpKRzBFQXJacG1BMkt4UG03ZmQrNWJNY1hsb2RsZEFiL3VRSU5C
RnNFa2FzQkVBRGY1SlYwRWxST0dNL0gKOG5rYmdEVjEzYThwVkZHbXRiNm5JblJjTnMydEZV
NFNmR3ZlaVRQWVhnZTJEdmFoUXZDdzF5NEthQVhFT1hFZwpVeUszTmtCWnU0dCtyMFZIdXlk
cGJjOHlXU1BqaDU3T3JkNlpoZFcvY0xlVnpveTUwQTZxUkFvM05xVEpvRC9wCncxV1ZDZFdh
dWx5MmtVZTFRMktoNks4ejBoNEkvbmF4eE1memlwNUZtaCthZDUxemNVREVvd24wNW1MZ3lL
S0MKeDM4T0hPRlNwc0I0K3NJeVZCQ3d6OGRkSTJ6YXFnd3JjR2pxVndmTlh1cklqM0RYMjJZ
V2k1ZlRwUXVjQUF6VgowbGx3SlF2ZlVVdTFvaXNadHhjRDczMXJ4MlU1UnZyeXVQMzBmZFhm
TU9NbXh3TUdBbmFiT0s2NUwrZG9iODByCjVGV0ZXSGNxcTFXSUxyYWNhQURXMUxWb3NwbnNv
TjdMTzdnV0lUWnNJK0hwdmdpVWhDS1BPckJQSThtMzdReTUKL1lWakdLdjBiQ0F5ZFdvbjk5
aHBQcnZWRUp4U3VTcmFTdFhOMGVyOGRmc0R3Zko5KzF3RXdTM2pKa20zOXRudQp2TEpZbncr
VkFrL2NjYXJQNkdrZWJDdkNZbUNQbEZ1YVMxVXpEZEVBU0trbXNRY1BWRHZBaUU4MWluTG9V
akFXClVQSENsUkE1UmdZUmxqREQwdEZtSnFrM1FWNE53V25vSlF4R0FrZmJobERNV1R3bmsz
ZzhETm1zaGw5QnRydlYKc01EUGYzVFk4TzNycXFJaUliYWE1TnQzeDRoNExQSDFIRmFFT1pC
eVhOZWZsYkY4OVRxWFFUMDJBczBXZzBLbQprdHBQUFpMOGJIQm5PdEoyNHd0OVdXRW84T08v
WVFBUkFRQUJpUUlsQkJnQkFnQVBCUUpiQkpHckFoc01CUWtCCjRUT0FBQW9KRVBKUEl5MFFp
enJVd3VvUC8yOHhjdEdGN25EcWdFcTR2UzJQNEtFdUdSQVF6cnBEczdpNnRhYSsKWHpKLzlP
RTJMVDh2SjBZQmhyQUpSYTUzYW1GbzZEaThmUWhTOVNHVXNORnhoell4MS9BbUx4cVB3YnRn
TDg1UQpyREFVTjlqSmozTWlUVUxuSmVmb3VLQ1NNNHZRL0pnalF3emFDVHJpMzg4cjVHZkx5
UFBwQ1BCbmdBeXloT21qCnIzd3RKaExzdHk4NFJPbjdmTFBRdGkyUTgvZm9XcWdiYUc1Mk9I
VFhrYVFOSWdkWnlTaTNoTWxjcnc0NGM2NHIKQlRQWisxNGF3VjR6aHVaT0lDc0pGZXdDUkZh
alJWc0RxRStLY3JSbXYvRXMxSmdqSDNnaGQ3bXIwaEpsenB4Ngo1YktLeFd4Um5GU0Fra2JJ
MUs5ZGZESGpPaEpMc0ZmSk9qdXpLT2twM1QyZUVJdmRBWis0ZTZBbi9YOE1KbzIwCnBTN1lM
NnRSN1ZUSHIrcTE0SlZTd0F6NXNOOE1GRCs5TFcyZktmMDVVRk01bXBlOEtFdmgvNHdBM1pi
Q3ovNHUKWEhBT29ZeGZwZ0w5a0ZZem5wY1lDa3ZYT1AzZWZLREZzM3l6ekplcW94QTJDRk9Q
Q1AwaXJKbzFCd283OEN5VgpLWVdWYnBGZlBWaEVOUGlaSXAwQ2lCdDBPcWFDNFp6VG1SUm81
S1NwSnZSc3ZmaUpEOTJiZy9KWEdOSVpJTkd2CnhOQTZOQWJQU3RJU0hwRDR0bjNOR1cyU1lR
eVIyVEpaQm5pMWl3RnRDL1pOVDYwSjhvd2hRSm52RVFlNitNQXAKa2lhejBTdXpmTlZMNDl4
R3YyTHFhOHkxczB5NTgvMHpCTEhzK3F3ZTYvODlaMmdqZTdCcWZGak9UVVpNc0FzeQp6TGFK
aVFJOEJCZ0JBZ0FtQWhzTUZpRUVXMzNGalpEK3dlbVFveEM2OGs4akxSQ0xPdFFGQWw1OUhN
a0ZDUVZaCnZwNEFDZ2tROGs4akxSQ0xPdFFPeGcvNkFqWWoxUlFHL25yTktBNFQ5cnYrV2tr
MFo1dXRqTERYa2NmQjV2TTgKa0ZwMCtTTnBWMmVRMmlRTTZXWTRCUVBweTBZTXVuSGVOVmJ5
SHVPZzI2UEluUGc0WWdSZXpvUXhIbmdBdHJqLwowV1BKSXhodHRoWXNSODRhbXZ0TEJ3MWFs
T3VRU1daQVNYRUdFcmgrTkQrNFB0N0dobWxEODhROWxmWXpGZHhJCk43V1YxdFBBVHBQeCta
M1ljTllaWGQydkswVmluTG9odk4wdW1iOGd2ZUZDVkhYaWliYjZzcFI4Q0VQTVRvSEkKc1JU
VWo1S3JEWmhmbUduY0Qrc0NySFNXVDlSbHh2TkZpRjI5RFdzKzdudUJCYU5QQ3hYMHozeTZJ
aVg0aFVsaApkcUFOeVR1cHVSaVlGUFpIWjBMSFFzeDQ2WjJjVXE1enQwMUJwV1NCWHlKeEJj
TVY3SGtWT2J3ZzJaTVJGbGNJCkRGYy9aWTBWbmlmSDlWRHFpaWZKelhtNUkxaWE1SXU2R3M2
ZXRlZnZGdHQ2QlFKcXd0MlBNcENDOG53dDE3eDEKVlFuZVk4OVZmTTROczlPeC9IU01zODFZ
U2wyKzZDSXQxVjVNeGtMYzMxeEJCNXZKTUhsRTRFM0g3VnVidjRicQoyWUxnY29nSlN6WkZv
ZDRQUHY1ZkIzbTYybjV3U1R6M2todjBiVVhGOUN2dUxLNkk0dXdpUnBCNHhLRlRSZjZTCm5m
RTNzaUcwVWlidFl1cE1wLzJ5RmYrWUpiVVlEZk1XUjhwZWNTRzFJemVjQ3dFNHptU2F6TFN3
czFMc1pYQnAKUVd5U0JvaVBCeEU1akYzOEYvRkRyMll4VEdqNU1KaXRzTUloNkFoZnlCNG1o
OW8yVzBlYnh4K2YyNXh4aGZydwpuekk9Cj16T0twCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZ
IEJMT0NLLS0tLS0K
Message-ID: <a51d1171-939b-6927-2a47-e5783f9b0b56@purse.io>
Date: Wed, 9 Sep 2020 06:28:38 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Mailman-Approved-At: Wed, 09 Sep 2020 13:42:02 +0000
Subject: [bitcoin-dev] CVE-2018-17145: Bitcoin Inventory Out-of-Memory
Denial-of-Service Attack
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 13:33:45 -0000
Hi everyone:
We would like to share a paper and website for CVE-2018-17145 that was
found in mid-2018.
There was an easily exploitable uncontrolled memory resource consumption
denial-of-service vulnerability that existed in the peer-to-peer network
code of three implementations of Bitcoin and several alternative chains.
For more details please see:
https://invdos.net/
For the paper:
https://invdos.net/paper/CVE-2018-17145.pdf
Best,
Braydon Fuller
|
