Bitcoin Forum
March 19, 2024, 04:06:36 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: URGENT: Windows Bitcoin-Qt update  (Read 28175 times)
Gavin Andresen (OP)
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
March 17, 2012, 12:17:15 AM
 #1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A potential security vulnerability has been discovered in the Windows
version of Bitcoin-Qt. If you are running Bitcoin-Qt versions 0.5
through 0.6 on Windows you should shut it down and upgrade to either
version 0.5.3.1 or 0.6rc4 NOW.

The command-line bitcoin daemon (bitcoind), Mac and Linux versions of
Bitcoin-Qt, and versions prior to 0.5 are not affected.

Due to the nature of the vulnerability, we believe it would be very
difficult for an attacker to do anything more than crash the
Bitcoin-Qt process. However, because there is a possibility of such a
crash causing remote code execution we consider this a critical issue.

Binaries are available at SourceForge:
https://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.6.0/test/
https://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.3/

If you have questions, feel free to drop by the #bitcoin-dev channel
on FreeNode IRC.

- --
Gavin Andresen
Gregory Maxwell
Matt Corallo
Nils Schneider
Wladimir J. van der Laan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9j12IACgkQdYgkL74406iIyQCfbxFTO3yD4Q2bHDjPlDuJn3Mj
9GAAn3mV+ggo+5q1Ujd0A5zwpFYojkE2
=g1Ad
-----END PGP SIGNATURE-----

How often do you get the chance to work on a potentially world-changing project?
The forum strives to allow free discussion of any ideas. All policies are built around this principle. This doesn't mean you can post garbage, though: posts should actually contain ideas, and these ideas should be argued reasonably.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308
Merit: 250



View Profile
March 17, 2012, 12:21:41 AM
 #2

Can we get more information on the nature of the vulnerability itself, please?

Fiyasko
Legendary
*
Offline Offline

Activity: 1428
Merit: 1001


Okey Dokey Lokey


View Profile
March 17, 2012, 12:32:38 AM
 #3

when was this discovered?!

http://bitcoin-otc.com/viewratingdetail.php?nick=DingoRabiit&sign=ANY&type=RECV <-My Ratings
https://bitcointalk.org/index.php?topic=857670.0 GAWminers and associated things are not to be trusted, Especially the "mineral" exchange
kentrolla
Hero Member
*****
Offline Offline

Activity: 1498
Merit: 562


Eloncoin.org - Mars, here we come!


View Profile WWW
March 17, 2012, 12:37:01 AM
 #4

thats nuts.......        can this effect any other processes?









▄▄████████▄▄
▄▄████████████████▄▄
▄██
████████████████████▄
▄███
██████████████████████▄
▄████
███████████████████████▄
███████████████████████▄
█████████████████▄███████
████████████████▄███████▀
██████████▄▄███▄██████▀
████████▄████▄█████▀▀
██████▄██████████▀
███▄▄█████
███████▄
██▄██████████████
░▄██████████████▀
▄█████████████▀
████████████
███████████▀
███████▀▀
.
▄▄███████▄▄
▄███████████████▄
▄███████████████████▄
▄██████████
███████████
▄███████████████████████▄
█████████████████████████
█████████████████████████
█████████████████████████
▀█
██████████████████████▀
▀██
███████████████████▀
▀███████████████████▀
▀█████████
██████▀
▀▀███████▀▀
.
 ElonCoin.org 
.
████████▄▄███████▄▄
███████▄████████████▌
██████▐██▀███████▀▀██
███████████████████▐█▌
████▄▄▄▄▄▄▄▄▄▄██▄▄▄▄▄
███▐███▀▄█▄█▀▀█▄█▄▀
███████████████████
█████████████▄████
█████████▀░▄▄▄▄▄
███████▄█▄░▀█▄▄░▀
███▄██▄▀███▄█████▄▀
▄██████▄▀███████▀
████████▄▀████▀
█████▄▄
.
"I could either watch it
happen or be a part of it"
▬▬▬▬▬
Retired
Sr. Member
****
Offline Offline

Activity: 490
Merit: 250


View Profile WWW
March 17, 2012, 12:37:40 AM
 #5

I assume you are not publishing more detailed information on purpose, right? And, as JackRabiit asked, when was this discovered?
Clipse
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502


View Profile
March 17, 2012, 12:47:27 AM
 #6

bitcoin.org lists the 0.5.3.1 update posted for 16 April 2012, perhaps correct that.

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
apetersson
Hero Member
*****
Offline Offline

Activity: 668
Merit: 501



View Profile
March 17, 2012, 01:01:31 AM
 #7

about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area.

i am not suggesting that it should be rewritten. but i think it is very important that alternative implementations like BitcoinJ, multibit, armory, electrum exist.
ThiagoCMC
Legendary
*
Offline Offline

Activity: 1204
Merit: 1000

฿itcoin: Currency of Resistance!


View Profile
March 17, 2012, 01:17:34 AM
 #8

about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area.

i am not suggesting that it should be rewritten. but i think it is very important that alternative implementations like BitcoinJ, multibit, armory, electrum exist.

The most important re-implementation of Satoshi's oroginal code, from my point of view, is Libcoin from Michael Grønager.
mcorlett
Donator
Sr. Member
*
Offline Offline

Activity: 308
Merit: 250



View Profile
March 17, 2012, 01:18:19 AM
 #9

Can we get more information on the nature of the vulnerability itself, please?
You can check out Github.
Did you check before posting? There is no relevant commit to the main branch.

Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
March 17, 2012, 01:20:55 AM
 #10

The most important re-implementation of Satoshi's oroginal code, from my point of view, is Libcoin from Michael Grønager.
Libcoin is not a reimplementation, it is just the Satoshi client made into a library. Perhaps you meant Amir's libbitcoin?

cypherdoc
Legendary
*
Offline Offline

Activity: 1764
Merit: 1002



View Profile
March 17, 2012, 01:22:57 AM
 #11

are the backups in 0.6.0 for windows encrypted?
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
March 17, 2012, 01:24:25 AM
 #12

are the backups in 0.6.0 for windows encrypted?
No

cypherdoc
Legendary
*
Offline Offline

Activity: 1764
Merit: 1002



View Profile
March 17, 2012, 01:29:30 AM
 #13

are the backups in 0.6.0 for windows encrypted?
No

why wouldn't it be?  if you encrypt your working wallet, then run a backup, it should be encrypted as well i would think.
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
March 17, 2012, 01:29:56 AM
 #14

why wouldn't it be?  if you encrypt your working wallet, then run a backup, it should be encrypted as well i would think.
yes, it's simply a copy

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
March 17, 2012, 01:32:14 AM
 #15

are the backups in 0.6.0 for windows encrypted?
No

why wouldn't it be?  if you encrypt your working wallet, then run a backup, it should be encrypted as well i would think.
Encrypted wallets aren't really encrypted entirely. Only your private keys are. There's still a lot of sensitive data in there you probably don't want public.

grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1431



View Profile
March 17, 2012, 01:38:35 AM
 #16

so all the 0.4.* versions are still safe, right?

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
March 17, 2012, 01:47:16 AM
 #17

so all the 0.4.* versions are still safe, right?
For this specific bug, yes. But wxBitcoin (the GUI in 0.4.x) is not maintained or supported at all, so it likely has other unfixed vulnerabilities.

da2ce7
Legendary
*
Offline Offline

Activity: 1222
Merit: 1016


Live and Let Live


View Profile
March 17, 2012, 02:03:55 AM
 #18

If the installer ain't working for you... Make sure you select 'Run As Administrator'.

Users whom wisely don't run as a super user, will get the error 'cannot access file.'  Instead of a prompt for an escalation of privileges.

One off NP-Hard.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 4158
Merit: 8343



View Profile WWW
March 17, 2012, 03:20:49 AM
Last edit: March 17, 2012, 03:36:53 AM by gmaxwell
 #19

With respect to detailed questions about the issue, we're currently being somewhat vague— simply because it's helpful to give innocent users as much of a head-start on trouble makers as possible.  

At the current time we don't know that the issue is exploitable. The class of issue and the overall paranoid design of the reference client make it hard to tell for sure. It is probably hard to exploit if it is exploitable at all.  Because of the potential seriousness the issue has been dealt with promptly and as if it were exploitable. (I'm not answering the specific timing questions because they may identify the issue too clearly).

If the issue turns out to be practically exploitable we'd much rather learn of it as a purely academic fact— academic because almost all impacted users had already applied fixes—  a few weeks from now, than learn about that in the form of hundreds of wallets being stolen through an exploit in the next few days.

I always encourage people to review the git history, but if you spot the fix for this issue— please don't point it out yet (and I will remove posts that do), if you like you can contact me privately and I'll gladly tell everyone how smart you were later. Smiley —  Reviewing the commits is generally good advice it's always good to have more eyes on the code, and even if you don't satisfy your curiosity with respect to this issue you may learn something else useful.

hongus
Full Member
***
Offline Offline

Activity: 736
Merit: 100


Adoption Blockchain e-Commerce to World


View Profile
March 17, 2012, 03:55:07 AM
 #20

So if I have 0.5.3.1-beta I'm safe?

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!