Bitcoin Forum
August 19, 2017, 04:10:24 AM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: URGENT: Windows Bitcoin-Qt update  (Read 26634 times)
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
March 17, 2012, 12:17:15 AM
 #1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A potential security vulnerability has been discovered in the Windows
version of Bitcoin-Qt. If you are running Bitcoin-Qt versions 0.5
through 0.6 on Windows you should shut it down and upgrade to either
version 0.5.3.1 or 0.6rc4 NOW.

The command-line bitcoin daemon (bitcoind), Mac and Linux versions of
Bitcoin-Qt, and versions prior to 0.5 are not affected.

Due to the nature of the vulnerability, we believe it would be very
difficult for an attacker to do anything more than crash the
Bitcoin-Qt process. However, because there is a possibility of such a
crash causing remote code execution we consider this a critical issue.

Binaries are available at SourceForge:
https://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.6.0/test/
https://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.3/

If you have questions, feel free to drop by the #bitcoin-dev channel
on FreeNode IRC.

- --
Gavin Andresen
Gregory Maxwell
Matt Corallo
Nils Schneider
Wladimir J. van der Laan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9j12IACgkQdYgkL74406iIyQCfbxFTO3yD4Q2bHDjPlDuJn3Mj
9GAAn3mV+ggo+5q1Ujd0A5zwpFYojkE2
=g1Ad
-----END PGP SIGNATURE-----

How often do you get the chance to work on a potentially world-changing project?
1503115824
Hero Member
*
Offline Offline

Posts: 1503115824

View Profile Personal Message (Offline)

Ignore
1503115824
Reply with quote  #2

1503115824
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1503115824
Hero Member
*
Offline Offline

Posts: 1503115824

View Profile Personal Message (Offline)

Ignore
1503115824
Reply with quote  #2

1503115824
Report to moderator
1503115824
Hero Member
*
Offline Offline

Posts: 1503115824

View Profile Personal Message (Offline)

Ignore
1503115824
Reply with quote  #2

1503115824
Report to moderator
1503115824
Hero Member
*
Offline Offline

Posts: 1503115824

View Profile Personal Message (Offline)

Ignore
1503115824
Reply with quote  #2

1503115824
Report to moderator
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308



View Profile
March 17, 2012, 12:21:41 AM
 #2

Can we get more information on the nature of the vulnerability itself, please?

Fiyasko
Legendary
*
Offline Offline

Activity: 1428


Okey Dokey Lokey


View Profile
March 17, 2012, 12:32:38 AM
 #3

when was this discovered?!

http://bitcoin-otc.com/viewratingdetail.php?nick=DingoRabiit&sign=ANY&type=RECV <-My Ratings
https://bitcointalk.org/index.php?topic=857670.0 GAWminers and associated things are not to be trusted, Especially the "mineral" exchange
kentrolla
Hero Member
*****
Offline Offline

Activity: 504


View Profile
March 17, 2012, 12:37:01 AM
 #4

thats nuts.......        can this effect any other processes?

Retired
Jr. Member
*
Offline Offline

Activity: 57



View Profile
March 17, 2012, 12:37:40 AM
 #5

I assume you are not publishing more detailed information on purpose, right? And, as JackRabiit asked, when was this discovered?

▲▼ No.1 Bitcoin Binary Options ▲▼
████████████ sec◔nds trade ████████████
↑↓ Highest Reward 190% ↑↓
Clipse
Hero Member
*****
Offline Offline

Activity: 504


View Profile
March 17, 2012, 12:47:27 AM
 #6

bitcoin.org lists the 0.5.3.1 update posted for 16 April 2012, perhaps correct that.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
apetersson
Hero Member
*****
Offline Offline

Activity: 666


mycelium.com


View Profile WWW
March 17, 2012, 01:01:31 AM
 #7

about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area.

i am not suggesting that it should be rewritten. but i think it is very important that alternative implementations like BitcoinJ, multibit, armory, electrum exist.
ThiagoCMC
Legendary
*
Offline Offline

Activity: 1190

฿itcoin: Currency of Resistance!


View Profile
March 17, 2012, 01:17:34 AM
 #8

about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area.

i am not suggesting that it should be rewritten. but i think it is very important that alternative implementations like BitcoinJ, multibit, armory, electrum exist.

The most important re-implementation of Satoshi's oroginal code, from my point of view, is Libcoin from Michael Grønager.
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308



View Profile
March 17, 2012, 01:18:19 AM
 #9

Can we get more information on the nature of the vulnerability itself, please?
You can check out Github.
Did you check before posting? There is no relevant commit to the main branch.

Luke-Jr
Legendary
*
Offline Offline

Activity: 2240



View Profile
March 17, 2012, 01:20:55 AM
 #10

The most important re-implementation of Satoshi's oroginal code, from my point of view, is Libcoin from Michael Grønager.
Libcoin is not a reimplementation, it is just the Satoshi client made into a library. Perhaps you meant Amir's libbitcoin?

cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
March 17, 2012, 01:22:57 AM
 #11

are the backups in 0.6.0 for windows encrypted?
Luke-Jr
Legendary
*
Offline Offline

Activity: 2240



View Profile
March 17, 2012, 01:24:25 AM
 #12

are the backups in 0.6.0 for windows encrypted?
No

cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
March 17, 2012, 01:29:30 AM
 #13

are the backups in 0.6.0 for windows encrypted?
No

why wouldn't it be?  if you encrypt your working wallet, then run a backup, it should be encrypted as well i would think.
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
March 17, 2012, 01:29:56 AM
 #14

why wouldn't it be?  if you encrypt your working wallet, then run a backup, it should be encrypted as well i would think.
yes, it's simply a copy

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Luke-Jr
Legendary
*
Offline Offline

Activity: 2240



View Profile
March 17, 2012, 01:32:14 AM
 #15

are the backups in 0.6.0 for windows encrypted?
No

why wouldn't it be?  if you encrypt your working wallet, then run a backup, it should be encrypted as well i would think.
Encrypted wallets aren't really encrypted entirely. Only your private keys are. There's still a lot of sensitive data in there you probably don't want public.

grue
Global Moderator
Legendary
*
Offline Offline

Activity: 1988



View Profile
March 17, 2012, 01:38:35 AM
 #16

so all the 0.4.* versions are still safe, right?

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
Luke-Jr
Legendary
*
Offline Offline

Activity: 2240



View Profile
March 17, 2012, 01:47:16 AM
 #17

so all the 0.4.* versions are still safe, right?
For this specific bug, yes. But wxBitcoin (the GUI in 0.4.x) is not maintained or supported at all, so it likely has other unfixed vulnerabilities.

da2ce7
Legendary
*
Offline Offline

Activity: 1222


Live and Let Live


View Profile
March 17, 2012, 02:03:55 AM
 #18

If the installer ain't working for you... Make sure you select 'Run As Administrator'.

Users whom wisely don't run as a super user, will get the error 'cannot access file.'  Instead of a prompt for an escalation of privileges.

One off NP-Hard.
gmaxwell
Staff
Legendary
*
Online Online

Activity: 2268



View Profile
March 17, 2012, 03:20:49 AM
 #19

With respect to detailed questions about the issue, we're currently being somewhat vague— simply because it's helpful to give innocent users as much of a head-start on trouble makers as possible.  

At the current time we don't know that the issue is exploitable. The class of issue and the overall paranoid design of the reference client make it hard to tell for sure. It is probably hard to exploit if it is exploitable at all.  Because of the potential seriousness the issue has been dealt with promptly and as if it were exploitable. (I'm not answering the specific timing questions because they may identify the issue too clearly).

If the issue turns out to be practically exploitable we'd much rather learn of it as a purely academic fact— academic because almost all impacted users had already applied fixes—  a few weeks from now, than learn about that in the form of hundreds of wallets being stolen through an exploit in the next few days.

I always encourage people to review the git history, but if you spot the fix for this issue— please don't point it out yet (and I will remove posts that do), if you like you can contact me privately and I'll gladly tell everyone how smart you were later. Smiley —  Reviewing the commits is generally good advice it's always good to have more eyes on the code, and even if you don't satisfy your curiosity with respect to this issue you may learn something else useful.


Bitcoin will not be compromised
hongus
Full Member
***
Offline Offline

Activity: 185



View Profile
March 17, 2012, 03:55:07 AM
 #20

So if I have 0.5.3.1-beta I'm safe?
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!