1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
Return-Path: <sickpig@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 4D07F1009
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 22 Sep 2018 19:22:34 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ot1-f68.google.com (mail-ot1-f68.google.com
[209.85.210.68])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E3661A8
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 22 Sep 2018 19:22:33 +0000 (UTC)
Received: by mail-ot1-f68.google.com with SMTP id g14-v6so2600718otj.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 22 Sep 2018 12:22:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=w7vAP5vRxweXe/7rXZAJRqwX1o0ri5y1nBMWfoRW10U=;
b=rbZEUPbrYamAUyUydPWTWCPgUpobyGnqulECd+vaz141eHWngh3bGS+qvfSrqA4G09
O9R2wDFCYA7xvr5/cDUDZoOVpete+IkXPfNTqm2rKgG6uqV19khDwyRTzxOs/rOd+mlq
ulmrh8o1QlmJjsW059IlCuDfrXGc2KzGEm14UCQ7gtmjBmZMfLvZBtpctl8UYPhUW9Tm
UmqzgIS6B/6LWLvUckxvbWUzZcTQOCkPMTHCeQyoBj8jpA2hv4T1rJG3JzP42UdNFSx1
h2MX9PKyzn58ke8rSOwnx2hJkQwZgZTYLxPpX1awkYzVqRNb6B28IRl/4eg6NSpP+F1f
lE+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=w7vAP5vRxweXe/7rXZAJRqwX1o0ri5y1nBMWfoRW10U=;
b=TMnbC4aFn+I61kL7jg/n1KQMd4a1LzSbRJB/fBe0Ax7GgqQ1/CQMNeDcOJV1x9DhMa
f5E7+sZgnUyjrTY8fd7DFC0ZFdstw5OGNyxpZu7mH6ugDiV3qv+1x5bGdf49YFZe8FoX
1nmYPejv8S9zcmLyM35LWSvaQ82A5ZcvHZgqFTqKleTHkGhwpj5cY0EmTgp7N5pyFi5w
KNimyt16JZkiS/RkrG+d1bqQasmN0v8y9U385KrpSYe7/Txe18doWsjfhC6NGk9XAZzm
2VcDy2JFFivbfaaAfOhuqiaz0OKAWC9LpMqE/kHns52+bo7F9OXj7BbmUzKP+QhCcEU7
wlbw==
X-Gm-Message-State: ABuFfogvoVvoKneyd9YCO1CHIJG/z7LOi+j3LUgpwlIZv4zr5WJx+SU/
VLDp+DkyEn5Tt8hEc5OvoPt6xz6I01szHa5lSmU=
X-Google-Smtp-Source: ACcGV62YYmUpcNRBEALe0h2Dq5wdPToDp6L5OcoJnp3jHlJA7qKmR6ZrEkYMFVBU7ihF37wZpJJXDpA9kXBrcwgu6jU=
X-Received: by 2002:a9d:530c:: with SMTP id
g12-v6mr2250581oth.353.1537644152986;
Sat, 22 Sep 2018 12:22:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAAS2fgR9Swxv3=-u_uHrgGtfn0WhXEuOV78TFpOewCuwb3fmUA@mail.gmail.com>
<CABaSBaxk7sJ9WFstC_aj7W==+puXkGNAqA-n96wDzOvjaC-HCg@mail.gmail.com>
In-Reply-To: <CABaSBaxk7sJ9WFstC_aj7W==+puXkGNAqA-n96wDzOvjaC-HCg@mail.gmail.com>
From: "sickpig@gmail.com" <sickpig@gmail.com>
Date: Sat, 22 Sep 2018 21:22:20 +0200
Message-ID: <CA+c4ZoxQFHnWvMY8sW17yrE_ccLKe82dX5W6G7nC1R7ZH6kP0A@mail.gmail.com>
To: kanzure@gmail.com, Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>,
gmaxwell@gmail.com, Matt Corallo <matt@bluematt.me>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 22 Sep 2018 22:14:09 +0000
Subject: Re: [bitcoin-dev] Fwd: [bitcoin-core-dev] On the initial notice of
CVE-2018-17144
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Sep 2018 19:22:34 -0000
Gregory,
> For some reason I don't understand, Andrea Suisani is stating on
> twitter that the the report by awemany was a report of an inflation
> bug, contrary to the timeline we published.
guess that the fact you don't understand it, it's probably related to the fact
that you didn't read properly the tweet you are referring to, for reference this
the tweet URL https://twitter.com/sickpig/status/1043530088636194816
This is the text of such a tweet:
"He [awemany] *did not* mention the inflation bug in the email, still
he has proof
he was aware of that before sending out the report"
then tweet continue referring a reddit post where awemany while trying
to prove he was the original author of the report, included a timestamped note
containing the following text:
BitcoinABC does not check for duplicate inputs when processing a block,
only when inserting a transaction into the mempool.
This is dangerous as blocks can be generated with duplicate transactions
and then sent through e.g. compact block missing transactions and avoid
hitting the mempool, creating money out of thin air.
/u/awemany
this the timeline of the timestamping process:
https://originstamp.org/s/5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6
as you can see the note was submitted to originstamp.org before the
report email was sent.
> This is not the case:
> the report specifically stated that inflation was not possible because
> the node crashed. It also described a reproduction of the crash, but
> not of inflation.
Furthermore as you should be aware, having been copied on the report,
awemany specifically
said that "[the assert(is_spent)] *seems* to prevent the worse outcome
of monetary inflation"
I guess that in the hurry of informing you and other people involved of the DoS
vector he identified and proved, he decided to give priority to
informing Core about that
rather than waiting and continue exploring the idea he had about exploiting the
code to create coins out of thin air.
|