fix(deps): update module github.com/btcsuite/btcd to v0.24.2 [security] #2332
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
|
Coverage from tests in coverage: 54.9% of statements across all listed packagescoverage: 68.2% of statements in consensus/istanbul coverage: 63.3% of statements in consensus/istanbul/announce coverage: 57.0% of statements in consensus/istanbul/backend coverage: 0.0% of statements in consensus/istanbul/backend/backendtest coverage: 24.3% of statements in consensus/istanbul/backend/internal/replica coverage: 65.7% of statements in consensus/istanbul/core coverage: 50.0% of statements in consensus/istanbul/db coverage: 0.0% of statements in consensus/istanbul/proxy coverage: 64.2% of statements in consensus/istanbul/uptime coverage: 52.4% of statements in consensus/istanbul/validator coverage: 79.2% of statements in consensus/istanbul/validator/random |
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.24.0->v0.24.2GitHub Vulnerability Alerts
CVE-2024-38365
Impact
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This
logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).
This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin
transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.
FindAndDeletevs.removeOpcodeByDataremoveOpcodeByData(script []byte, dataToRemove []byte)removes any data pushes fromscriptthat containdataToRemove. However,FindAndDeleteonly removes exact matches. So for example, withscript = "<data> <data||foo>"anddataToRemove = "data"btcd will remove both data pushes but Bitcoin Core'sFindAndDeleteonly removes the first<data>push.Patches
This has been patched in
btcdversion v0.24.2-beta.References
FindAndDelete: GHSA-27vh-h6mc-q6g8Consensus failure in github.com/btcsuite/btcd
CVE-2024-38365 / GHSA-27vh-h6mc-q6g8 / GO-2024-3189
More information
Details
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality
CVE-2024-38365 / GHSA-27vh-h6mc-q6g8 / GO-2024-3189
More information
Details
Impact
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This
logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).
This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin
transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.
FindAndDeletevs.removeOpcodeByDataremoveOpcodeByData(script []byte, dataToRemove []byte)removes any data pushes fromscriptthat containdataToRemove. However,FindAndDeleteonly removes exact matches. So for example, withscript = "<data> <data||foo>"anddataToRemove = "data"btcd will remove both data pushes but Bitcoin Core'sFindAndDeleteonly removes the first<data>push.Patches
This has been patched in
btcdversion v0.24.2-beta.References
FindAndDelete: GHSA-27vh-h6mc-q6g8Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
btcsuite/btcd (github.com/btcsuite/btcd)
v0.24.2Compare Source
This release includes important bug fixes related to subtle interactions related to re-orgs and the UTXO set cache. These fixed are considered security critical.
This release also includes implementations of
invalidateblockandreconsiderblockwhich can be useful in helping nodes that were afflicted by the aforementioned bugs to recover without needing to resync the entire chain.WIth this release,
btcdnow also implements thetestmempoolacceptRPC which can be useful to check a transaction candidate for validity from a policy and conflict perspective before broadcasting. Along the way, we've added some additional policy checks that exist in other Bitcoin full node implementations.This release also contains fixes to some parsing issues discovered via fuzz testing.
Finally, as mentioned above release includes important security fixes, with full details to be disclosed in 90 days.
What's Changed
testmempoolacceptfor bothbitcoindandbtcdby @yyforyongyu in https://github.com/btcsuite/btcd/pull/2053make helpto display the usage for project Makefile by @Halimao in https://github.com/btcsuite/btcd/pull/2107gettxspendingprevoutforbtcdand fix version check by @yyforyongyu in https://github.com/btcsuite/btcd/pull/2125witnessToHexinto a methodToHexStringsonTxWitnessby @ffranr in https://github.com/btcsuite/btcd/pull/1991AgentWhitelistby @youngjoon-lee in https://github.com/btcsuite/btcd/pull/2140New Contributors
Full Changelog: btcsuite/btcd@v0.24.0...v0.24.2
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.