Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bitcoin: 0.15.0.1 -> 0.15.2 #47528

Merged
merged 1 commit into from Sep 29, 2018
Merged

bitcoin: 0.15.0.1 -> 0.15.2 #47528

merged 1 commit into from Sep 29, 2018

Conversation

roconnor
Copy link
Contributor

Fixes DoS vulnerability CVE-2018-17144.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@roconnor
Copy link
Contributor Author

I believe that 17.09 is the only release branch that still contains a version of Bitcoin vulnerable to CVE-2018-17144 and this PR fixes this. See also #46891.

@jb55 Let me know if you are willing to review this PR.

@jb55
Copy link
Contributor

jb55 commented Sep 29, 2018

@roconnor I don't have the means to test it in any meaningful way, so utACK from me.

@roconnor
Copy link
Contributor Author

@jb55 can you verify that you believe the sources fetched are signed by the Bitcoin Core binary release signing key?

@jb55
Copy link
Contributor

jb55 commented Sep 29, 2018
edited

confirmed. I've verified the hash matches the one in https://bitcoincore.org/bin/bitcoin-core-0.15.2/SHA256SUMS.asc signed with bitcoin core signing key, fingerprint

01EA 5486 DE18 A882 D4C2  6845 90C8 019E 36C2 E964

@roconnor
Copy link
Contributor Author

roconnor commented Sep 29, 2018
edited

@xeji Is merging directly into release-17.09 the right thing to do there?

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-linux (full log)

Attempted: bitcoin

Partial log (click to expand)

  CXX      qt/qt_libbitcoinqt_a-askpassphrasedialog.o
  CXX      qt/qt_libbitcoinqt_a-coincontroldialog.o
  CXX      qt/qt_libbitcoinqt_a-coincontroltreewidget.o
  CXX      qt/qt_libbitcoinqt_a-editaddressdialog.o
  CXX      qt/qt_libbitcoinqt_a-openuridialog.o
  CXX      qt/qt_libbitcoinqt_a-overviewpage.o
  CXX      qt/qt_libbitcoinqt_a-paymentrequestplus.o
  CXX      qt/qt_libbitcoinqt_a-paymentserver.o
building of '/nix/store/7h7nqicnq2z4zzaj96qssrlb7if8ms44-bitcoin-0.15.2.drv' timed out after 3600 seconds
error: build of '/nix/store/7h7nqicnq2z4zzaj96qssrlb7if8ms44-bitcoin-0.15.2.drv' failed

@xeji
Copy link
Contributor

xeji commented Sep 29, 2018

@roconnor sure, if this version is only relevant for 17.09.

@GrahamcOfBorg
Copy link

Timed out, unknown build status on aarch64-linux (full log)

Attempted: bitcoin

Partial log (click to expand)

../JavaScriptCore/wtf/StringHasher.h: In static member function 'static unsigned int WTF::StringHasher::hashMemory(const void*)':
../JavaScriptCore/wtf/Assertions.h:326:47: warning: typedef 'dummylength_must_be_a_multible_of_four' locally defined but not used [-Wunused-local-typedefs]
 #define COMPILE_ASSERT(exp, name) typedef int dummy##name [(exp) ? 1 : -1]
                                               ^
../JavaScriptCore/wtf/StringHasher.h:140:9: note: in expansion of macro 'COMPILE_ASSERT'
         COMPILE_ASSERT(!(length % 4), length_must_be_a_multible_of_four);
         ^~~~~~~~~~~~~~
building of '/nix/store/fv1r25n6m2b45cywr148migsmr8cqifc-qt-4.8.7.drv' timed out after 3600 seconds
cannot build derivation '/nix/store/cc733nvqwzyjsskn81m8x2qrf5dxiryq-bitcoin-0.15.2.drv': 1 dependencies couldn't be built
error: build of '/nix/store/cc733nvqwzyjsskn81m8x2qrf5dxiryq-bitcoin-0.15.2.drv' failed

@roconnor roconnor merged commit 24a7883 into NixOS:release-17.09 Sep 29, 2018
@roconnor roconnor deleted the bitcoin branch September 29, 2018 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jb55 jb55 jb55 approved these changes

Assignees
No one assigned
Labels
10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@roconnor @jb55 @GrahamcOfBorg @xeji