summaryrefslogtreecommitdiff
path: root/63/df7d347282906fe4bb99f6641335ae569ef445
blob: 10872955f3ede633b1efc285c32825bb49ff291b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
Return-Path: <braydon@purse.io>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 45C78C0051
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed,  9 Sep 2020 13:33:45 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id 2E2CE86C8A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed,  9 Sep 2020 13:33:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id pzLzYbFnqg6J
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed,  9 Sep 2020 13:33:43 +0000 (UTC)
X-Greylist: delayed 00:05:04 by SQLgrey-1.7.6
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
 by whitealder.osuosl.org (Postfix) with ESMTPS id 854CC86C03
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed,  9 Sep 2020 13:33:43 +0000 (UTC)
Received: by mail-pf1-f177.google.com with SMTP id w7so2181564pfi.4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 09 Sep 2020 06:33:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=purse.io; s=google;
 h=to:from:autocrypt:subject:message-id:date:user-agent:mime-version
 :content-transfer-encoding:content-language;
 bh=L+dTE9QLhdsUIkfOSKRjyKgo86hs5+PTjJoHKqVVBb8=;
 b=enywz/l7bXPcP4Q6cSq1sexGDMOdXdUN5Q5fxfysleM+VBLEv3Hr6W+VwyneEfFMvS
 p1DlnSOSGqwTS1vXhq33rsdxS/n/n1ndWWqj5Hs7IZArhjarwI0C8fA4zItxKok2JC8M
 OUMhcYyUSy53HnXo/1qJDaCpBFJCzyFVHwszA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:to:from:autocrypt:subject:message-id:date
 :user-agent:mime-version:content-transfer-encoding:content-language;
 bh=L+dTE9QLhdsUIkfOSKRjyKgo86hs5+PTjJoHKqVVBb8=;
 b=I+sgH3iTYMOjZKBwYwvmoCR/MK25b9uD+GJ8HEHTwpKf1bZzb+7ccOYXbzmmDMJ5MW
 6oL1gdjUVZiypp3DBXg7q6MT6bAucOtC9b9h2l+JDOEEUn9tw7DL98dRlRRAMJvwIjz7
 wqG91zyVsNqfNJslyrMxbqbYjo/QfxaLPj3ZaX5ILfKb94T5Y+hegR8x2kPdd3vCg3Ow
 rK5XZLMR8dB1qUZhbmX4QEatSsAB4Ooaini0hVZ+p9rd1bo9HzqpkGrj8nplEYsdK9qC
 pVj0my5bsjUs/tTguDbWeEhwrgDeNigfLF74JHk36DqnJlK8I12E2ZLi56oDz56xPu8b
 7rmg==
X-Gm-Message-State: AOAM530ZegSPbHgJJjT7lfifITpZFsIgurb25dDBYpqvyDluY3DTc8KM
 +0zB2S5D3kpyLrKhKSrFv4yJcoDxNe6IDw==
X-Google-Smtp-Source: ABdhPJx7oVhv4kHk/oUHeMRw5bA0SHEAymrewCPllO7aOnBxTWT3lW3vPN7hVhT9pgZlt7pA+DIeJw==
X-Received: by 2002:a63:d409:: with SMTP id a9mr623035pgh.312.1599658119037;
 Wed, 09 Sep 2020 06:28:39 -0700 (PDT)
Received: from [10.0.0.198] ([66.172.99.113])
 by smtp.gmail.com with ESMTPSA id u14sm2981579pfc.203.2020.09.09.06.28.38
 for <bitcoin-dev@lists.linuxfoundation.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Wed, 09 Sep 2020 06:28:38 -0700 (PDT)
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: Braydon Fuller <braydon@purse.io>
Autocrypt: addr=braydon@purse.io; keydata=
 LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUlOQkZzRWthc0JFQUM0
 b1BKUXNGV0FNME9qTkpsWVV4SmJUVjhibzFUZ1h3WmROWldld0c2ZnZRUStpR0dJCm15L2E1
 aDEwLzlWKy9DdGlvOGF5QWZwazZWM3ovdnhxOElkUFZjc1djY0hMbmd1YUFFRWhZbktkR1pm
 c29oY1EKTU80TFI2M1I2dlByVVlVSmVoVnp0MllaNUY0OTVpUkRLd2JRTFhibVhGOXZMdGFL
 dWYvNmhiVm1sRzdiTTU5ZQpWS2N2cEU4RUttOTVMcHcrQ0JFM3VLYzNSeFRjS0hnbzZRcmtD
 bG0xOUdORERrbUh4TS9rK2hHVDNNK3NYR2hnCnBMMjk0MEFHS3NYdVRQZ2hnTFErNXNlQld0
 enVXVjMxVWYwbHRIeDZLczF3MG1sZ1paK3U0d2xsak1ISUJLTHIKNGNZRE9GOEFZeHlWY1B6
 dVFMZFJqSUlLRWdwTURRVzdmdGJnR00vcWhnR2cybU4wMzZLVFVmVDFIa21UODJaMwpEM3o0
 QUNKL2JZL0orbUp3MGJhcWNKcGV6bmRkMU02ZG5ETkY5U2xzdDJNcitMb2VKZE4xdFk1a2s2
 L09Xd0FJCjVMMTVobWRpUldVQnJ5SnF1bjdzeTIzY21WUFNPcnRhSWZsNy9TRUZKK011WGJL
 NTMrbUZHVDJQQ3BkUnpWNE0KcktyOXFiQmFYa2todkVmb0wyejZWd0lGQnBycVpqdGhQSGNI
 UjhyNlFTVHBaZHNEKzcrcW9xMm80TURVcVA1NAo1YTNrR0kzbDZWVzc2N1ZFL05VSW9jeU83
 WjlEL0VaT0NrMjJFbFRMVEN6V20wSnZ4eEdKb2FsZWJMUWNHZXkvCkE5V1dHT3YveWR3dlRy
 eTNQV0F6cnJYTnQ0M01jSEh3WlhVNHZTTG5BdEF4UXkwNk50OXdzV28rMlFBUkFRQUIKdENG
 Q2NtRjVaRzl1SUVaMWJHeGxjaUE4WW5KaGVXUnZia0J3ZFhKelpTNXBiejZKQWxRRUV3RUlB
 RDRDR3dNRgpDd2tJQndJR0ZRZ0pDZ3NDQkJZQ0F3RUNIZ0VDRjRBRkNRVlp2cGdXSVFSYmZj
 V05rUDdCNlpDakVMcnlUeU10CkVJczYxQVVDWG90VmJBQUtDUkR5VHlNdEVJczYxTVVJRC80
 blpZN0lDeUhock1iNDNaOEcrVE45TzE1WlFON2sKWlNzZ2hWeWxpcW15cE1lNWFGOWNkbFUz
 a1VkR1BEbUVuWjgweTc1bmZheXFpdlpCOG1HYXFJSTkycXVLNFJ2TQphc0kzdlQ5Rkl0Z2g4
 Nkh6NWRHa1g4eGVEZms0SkNmWml0SUQydDJVdUR1Z3JGc2VFMVE4OTJsZ21NcGZQQ3VoCk5I
 NWxDWnUzVjNnNFJDdlAxd1Jjd09XY0dXU0wwR0pvOHJrRS9tYzBKS0NGNDdwbDFFUWVRUVp5
 czIxTHBOTnYKWmFMVHJoQUpPdDFIRXBheUlxdXFKTzA4TzBMZGErelF1Z2szV0hHWUNyeXlJ
 ZFdiSWljdUFsbmowa0J1ajZKagpFdVphNFNRdE0wenF5QzNCbmIzdXBBSkNGOVdmL1lUcyts
 cUJTNW96ekxkTXJRSlo5VTE4VmxUZCtZeU9icjFBCkY0UW5xT1g2aDJlNE02KzZuOWlIdU9o
 eWlEdTI4cms2dU9sY1lOQTVXcm9mV0dFK1AyYS9zOExGOGxEZ1BtQlIKMjNmT0hrSmFtK2FB
 U1R6VVVJSC9GM0NqbkhkTzU1cHJDWDRPOUJWc2FOR2J6WHRhMzFYVnZQbE1qQXpPc3ZWegpT
 SitzUjRvMjkyVjE3THdkZU11OUFNK3c1YSt3Yk5kVnA2OEtmRnh2OTliaSs0QWgvNlVrQ2Js
 dHdQWkJqVS9nClp1WGhXM2s0Z3J6a3pwdmd1U3JEU1NHNzdDNC9QTjB4aFFRMTVlaEdlQkNl
 YWd2Ui9EZWxRQnkwMUYvTC9NV3EKSkJZTTVwN3ptR1htSlJXTWRNMDlDMThBc1NVZnMySWxl
 dnN4a3RJWFQzSUFsVU9wdG14RlJTRWlLSERwNlJ2NgpweWM2TWJSWWZGN1BGYlFrUW5KaGVX
 UnZiaUJHZFd4c1pYSWdQR052ZFhKcFpYSkFZbkpoZVdSdmJpNWpiMjArCmlRSllCQk1CQWdC
 Q0Foc0RCZ3NKQ0FjREFnWVZDQUlKQ2dzRUZnSURBUUllQVFJWGdBVUpCVm0rbUJZaEJGdDkK
 eFkyUS9zSHBrS01RdXZKUEl5MFFpenJVQlFKZWkxVnlBaGtCQUFvSkVQSlBJeTBRaXpyVTVJ
 Y1AvMXVmOUlrQgpsd2h3TG5CUjQ2QkM5NTgyOVN3MnBzTTZYTDZ6OXIrVUtmUTFSdm9pTDQ5
 V2FzU1Z6QUJGVjlnNVhRbllUajVVCkgrTnFTK29lTXlScTl0d1Avb3JFN2crVDRTNzRpaGFx
 YzFhZTZmY3pNaDRIc3NkbmtyZ2FLbTVoRXEzQjh1V08KNzRSaHRJUnczUVpzM2lqSHoxU2w3
 K1NzNklEOC9IbHFGRzNQaGhJQ2hFU2xna1gwQXlRSHV0ZkwzTmhGTFU5VAo1MU9RSFoyUTBG
 NUo5cFgxY0JPSlR5WHNwUHppLzhUdWdWcHNqcC9LdVpWbjg2WjhIVksraFhIWCs5bVV0emZy
 CnQweG91RGJRUHFlN1hRbDBJdnJpVVpaTWhFOXdOMEpMRHljTFhlLzl5RFppRGFsRUV0RENR
 ZXBpcGx2STdMRlQKRGw3cHArU2xKQWFNMm9RbFRQUGg3a2M4ZThwWnNmQUo2clZKTTlheFUr
 am0rNFRacFdSUm8rK3NIY00xY2VnZQo5MVI3VnRkREN6cGJRYys3Ymtpa3VHRk9sYkw5OFY5
 U2daWVVxWkQrbkI0MC9xeldxQkM5RGU5YWdZWUMxaFhWCmo2YnUvTHhOV0NYZis2YnpKVWJN
 aWZJc2JBNWhKZzRTbTlVTGFCV0M3eE1WUzFjSE9TSU9iaFl1aVU1Ny9HekkKRW5SMVo5YjU1
 UHYwV3IwelJjRW9aM3dSUG5hMzZ4bHU5YXRiSXBuRFQ1VTNSclB1TTdXWWdnWEZaMDRkMm5F
 TQpndnpYZk5BR2IvMG51K1kxZmwrbjJDYkJIenFleGFTckpYQUw3QjlBbmhock1ETGJxMk51
 aVk0dnk5YWFDTFZFCnZvcWpKRzBFQXJacG1BMkt4UG03ZmQrNWJNY1hsb2RsZEFiL3VRSU5C
 RnNFa2FzQkVBRGY1SlYwRWxST0dNL0gKOG5rYmdEVjEzYThwVkZHbXRiNm5JblJjTnMydEZV
 NFNmR3ZlaVRQWVhnZTJEdmFoUXZDdzF5NEthQVhFT1hFZwpVeUszTmtCWnU0dCtyMFZIdXlk
 cGJjOHlXU1BqaDU3T3JkNlpoZFcvY0xlVnpveTUwQTZxUkFvM05xVEpvRC9wCncxV1ZDZFdh
 dWx5MmtVZTFRMktoNks4ejBoNEkvbmF4eE1memlwNUZtaCthZDUxemNVREVvd24wNW1MZ3lL
 S0MKeDM4T0hPRlNwc0I0K3NJeVZCQ3d6OGRkSTJ6YXFnd3JjR2pxVndmTlh1cklqM0RYMjJZ
 V2k1ZlRwUXVjQUF6VgowbGx3SlF2ZlVVdTFvaXNadHhjRDczMXJ4MlU1UnZyeXVQMzBmZFhm
 TU9NbXh3TUdBbmFiT0s2NUwrZG9iODByCjVGV0ZXSGNxcTFXSUxyYWNhQURXMUxWb3NwbnNv
 TjdMTzdnV0lUWnNJK0hwdmdpVWhDS1BPckJQSThtMzdReTUKL1lWakdLdjBiQ0F5ZFdvbjk5
 aHBQcnZWRUp4U3VTcmFTdFhOMGVyOGRmc0R3Zko5KzF3RXdTM2pKa20zOXRudQp2TEpZbncr
 VkFrL2NjYXJQNkdrZWJDdkNZbUNQbEZ1YVMxVXpEZEVBU0trbXNRY1BWRHZBaUU4MWluTG9V
 akFXClVQSENsUkE1UmdZUmxqREQwdEZtSnFrM1FWNE53V25vSlF4R0FrZmJobERNV1R3bmsz
 ZzhETm1zaGw5QnRydlYKc01EUGYzVFk4TzNycXFJaUliYWE1TnQzeDRoNExQSDFIRmFFT1pC
 eVhOZWZsYkY4OVRxWFFUMDJBczBXZzBLbQprdHBQUFpMOGJIQm5PdEoyNHd0OVdXRW84T08v
 WVFBUkFRQUJpUUlsQkJnQkFnQVBCUUpiQkpHckFoc01CUWtCCjRUT0FBQW9KRVBKUEl5MFFp
 enJVd3VvUC8yOHhjdEdGN25EcWdFcTR2UzJQNEtFdUdSQVF6cnBEczdpNnRhYSsKWHpKLzlP
 RTJMVDh2SjBZQmhyQUpSYTUzYW1GbzZEaThmUWhTOVNHVXNORnhoell4MS9BbUx4cVB3YnRn
 TDg1UQpyREFVTjlqSmozTWlUVUxuSmVmb3VLQ1NNNHZRL0pnalF3emFDVHJpMzg4cjVHZkx5
 UFBwQ1BCbmdBeXloT21qCnIzd3RKaExzdHk4NFJPbjdmTFBRdGkyUTgvZm9XcWdiYUc1Mk9I
 VFhrYVFOSWdkWnlTaTNoTWxjcnc0NGM2NHIKQlRQWisxNGF3VjR6aHVaT0lDc0pGZXdDUkZh
 alJWc0RxRStLY3JSbXYvRXMxSmdqSDNnaGQ3bXIwaEpsenB4Ngo1YktLeFd4Um5GU0Fra2JJ
 MUs5ZGZESGpPaEpMc0ZmSk9qdXpLT2twM1QyZUVJdmRBWis0ZTZBbi9YOE1KbzIwCnBTN1lM
 NnRSN1ZUSHIrcTE0SlZTd0F6NXNOOE1GRCs5TFcyZktmMDVVRk01bXBlOEtFdmgvNHdBM1pi
 Q3ovNHUKWEhBT29ZeGZwZ0w5a0ZZem5wY1lDa3ZYT1AzZWZLREZzM3l6ekplcW94QTJDRk9Q
 Q1AwaXJKbzFCd283OEN5VgpLWVdWYnBGZlBWaEVOUGlaSXAwQ2lCdDBPcWFDNFp6VG1SUm81
 S1NwSnZSc3ZmaUpEOTJiZy9KWEdOSVpJTkd2CnhOQTZOQWJQU3RJU0hwRDR0bjNOR1cyU1lR
 eVIyVEpaQm5pMWl3RnRDL1pOVDYwSjhvd2hRSm52RVFlNitNQXAKa2lhejBTdXpmTlZMNDl4
 R3YyTHFhOHkxczB5NTgvMHpCTEhzK3F3ZTYvODlaMmdqZTdCcWZGak9UVVpNc0FzeQp6TGFK
 aVFJOEJCZ0JBZ0FtQWhzTUZpRUVXMzNGalpEK3dlbVFveEM2OGs4akxSQ0xPdFFGQWw1OUhN
 a0ZDUVZaCnZwNEFDZ2tROGs4akxSQ0xPdFFPeGcvNkFqWWoxUlFHL25yTktBNFQ5cnYrV2tr
 MFo1dXRqTERYa2NmQjV2TTgKa0ZwMCtTTnBWMmVRMmlRTTZXWTRCUVBweTBZTXVuSGVOVmJ5
 SHVPZzI2UEluUGc0WWdSZXpvUXhIbmdBdHJqLwowV1BKSXhodHRoWXNSODRhbXZ0TEJ3MWFs
 T3VRU1daQVNYRUdFcmgrTkQrNFB0N0dobWxEODhROWxmWXpGZHhJCk43V1YxdFBBVHBQeCta
 M1ljTllaWGQydkswVmluTG9odk4wdW1iOGd2ZUZDVkhYaWliYjZzcFI4Q0VQTVRvSEkKc1JU
 VWo1S3JEWmhmbUduY0Qrc0NySFNXVDlSbHh2TkZpRjI5RFdzKzdudUJCYU5QQ3hYMHozeTZJ
 aVg0aFVsaApkcUFOeVR1cHVSaVlGUFpIWjBMSFFzeDQ2WjJjVXE1enQwMUJwV1NCWHlKeEJj
 TVY3SGtWT2J3ZzJaTVJGbGNJCkRGYy9aWTBWbmlmSDlWRHFpaWZKelhtNUkxaWE1SXU2R3M2
 ZXRlZnZGdHQ2QlFKcXd0MlBNcENDOG53dDE3eDEKVlFuZVk4OVZmTTROczlPeC9IU01zODFZ
 U2wyKzZDSXQxVjVNeGtMYzMxeEJCNXZKTUhsRTRFM0g3VnVidjRicQoyWUxnY29nSlN6WkZv
 ZDRQUHY1ZkIzbTYybjV3U1R6M2todjBiVVhGOUN2dUxLNkk0dXdpUnBCNHhLRlRSZjZTCm5m
 RTNzaUcwVWlidFl1cE1wLzJ5RmYrWUpiVVlEZk1XUjhwZWNTRzFJemVjQ3dFNHptU2F6TFN3
 czFMc1pYQnAKUVd5U0JvaVBCeEU1akYzOEYvRkRyMll4VEdqNU1KaXRzTUloNkFoZnlCNG1o
 OW8yVzBlYnh4K2YyNXh4aGZydwpuekk9Cj16T0twCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZ
 IEJMT0NLLS0tLS0K
Message-ID: <a51d1171-939b-6927-2a47-e5783f9b0b56@purse.io>
Date: Wed, 9 Sep 2020 06:28:38 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Mailman-Approved-At: Wed, 09 Sep 2020 13:42:02 +0000
Subject: [bitcoin-dev] CVE-2018-17145: Bitcoin Inventory Out-of-Memory
 Denial-of-Service Attack
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 13:33:45 -0000

Hi everyone:

We would like to share a paper and website for CVE-2018-17145 that was
found in mid-2018.

There was an easily exploitable uncontrolled memory resource consumption
denial-of-service vulnerability that existed in the peer-to-peer network
code of three implementations of Bitcoin and several alternative chains.

For more details please see:
https://invdos.net/

For the paper:
https://invdos.net/paper/CVE-2018-17145.pdf

Best,
Braydon Fuller