chore(deps): update module github.com/btcsuite/btcd to v0.24.2 [security] #275
+16
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
…ity] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.23.2->v0.24.2GitHub Vulnerability Alerts
CVE-2024-34478
btcd before 0.24.0 does not correctly implement the consensus rules outlined in BIP 68 and BIP 112, making it susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.
CVE-2024-38365
Impact
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This
logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).
This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin
transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.
FindAndDeletevs.removeOpcodeByDataremoveOpcodeByData(script []byte, dataToRemove []byte)removes any data pushes fromscriptthat containdataToRemove. However,FindAndDeleteonly removes exact matches. So for example, withscript = "<data> <data||foo>"anddataToRemove = "data"btcd will remove both data pushes but Bitcoin Core'sFindAndDeleteonly removes the first<data>push.Patches
This has been patched in
btcdversion v0.24.2-beta.References
FindAndDelete: GHSA-27vh-h6mc-q6g8btcd susceptible to consensus failures
CVE-2024-34478 / GHSA-3jgf-r68h-xfqm / GO-2024-2818
More information
Details
btcd before 0.24.0 does not correctly implement the consensus rules outlined in BIP 68 and BIP 112, making it susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.
Severity
Moderate
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Consensus failures in github.com/btcsuite/btcd
CVE-2024-34478 / GHSA-3jgf-r68h-xfqm / GO-2024-2818
More information
Details
Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Consensus failure in github.com/btcsuite/btcd
CVE-2024-38365 / GHSA-27vh-h6mc-q6g8 / GO-2024-3189
More information
Details
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality
CVE-2024-38365 / GHSA-27vh-h6mc-q6g8 / GO-2024-3189
More information
Details
Impact
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This
logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).
This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin
transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.
FindAndDeletevs.removeOpcodeByDataremoveOpcodeByData(script []byte, dataToRemove []byte)removes any data pushes fromscriptthat containdataToRemove. However,FindAndDeleteonly removes exact matches. So for example, withscript = "<data> <data||foo>"anddataToRemove = "data"btcd will remove both data pushes but Bitcoin Core'sFindAndDeleteonly removes the first<data>push.Patches
This has been patched in
btcdversion v0.24.2-beta.References
FindAndDelete: GHSA-27vh-h6mc-q6g8Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
btcsuite/btcd (github.com/btcsuite/btcd)
v0.24.2Compare Source
This release includes important bug fixes related to subtle interactions related to re-orgs and the UTXO set cache. These fixed are considered security critical.
This release also includes implementations of
invalidateblockandreconsiderblockwhich can be useful in helping nodes that were afflicted by the aforementioned bugs to recover without needing to resync the entire chain.WIth this release,
btcdnow also implements thetestmempoolacceptRPC which can be useful to check a transaction candidate for validity from a policy and conflict perspective before broadcasting. Along the way, we've added some additional policy checks that exist in other Bitcoin full node implementations.This release also contains fixes to some parsing issues discovered via fuzz testing.
Finally, as mentioned above release includes important security fixes, with full details to be disclosed in 90 days.
What's Changed
testmempoolacceptfor bothbitcoindandbtcdby @yyforyongyu in https://github.com/btcsuite/btcd/pull/2053make helpto display the usage for project Makefile by @Halimao in https://github.com/btcsuite/btcd/pull/2107gettxspendingprevoutforbtcdand fix version check by @yyforyongyu in https://github.com/btcsuite/btcd/pull/2125witnessToHexinto a methodToHexStringsonTxWitnessby @ffranr in https://github.com/btcsuite/btcd/pull/1991AgentWhitelistby @youngjoon-lee in https://github.com/btcsuite/btcd/pull/2140New Contributors
Full Changelog: btcsuite/btcd@v0.24.0...v0.24.2
v0.24.0: btcd v0.24.0Compare Source
This release is a major release that includes several general bug fixes, security bug fixes (please update!), and also a series of performance improvements that dramatically reduce the time for initial block download from ~45 hours+ to around 6 hours! With this release,
btcdnow also supports BIP 155 and has gained support for pruning (--prune=MiB).Verifying the Release
In order to verify the release, you'll need to have
gpgorgpg2installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:Once you have the required PGP keys, you can verify the release (assuming
manifest-roasbeef-v0.24.0.sigandmanifest-v0.24.0.txtare in the current directory) with:You should see the following if the verification was successful:
That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the
sha256hash of the archive withshasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.What's Changed
New Contributors
Full Changelog: btcsuite/btcd@v0.23.4...v0.24.0
v0.23.4Compare Source
v0.23.3: btcd v0.23.3Compare Source
Verifying the Release
In order to verify the release, you'll need to have
gpgorgpg2installed on your system. Once you've obtained a copy (and hopefully verified that as well), you'll first need to import the keys that have signed this release if you haven't done so already:Once you have the required PGP keys, you can verify the release (assuming
manifest-guggero-v0.23.3.sigandmanifest-v0.23.3.txtare in the current directory) with:You should see the following if the verification was successful:
That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the
sha256hash of the archive withshasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.What's Changed
New Contributors
Full Changelog: btcsuite/btcd@v0.23.2...v0.23.3
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.