Bitcoin Forum
April 24, 2014, 05:49:41 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 [2] 3 4 5  All
  Print  
Author Topic: URGENT: Windows Bitcoin-Qt update  (Read 16079 times)
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
March 17, 2012, 03:20:49 AM
 #21

With respect to detailed questions about the issue, we're currently being somewhat vague— simply because it's helpful to give innocent users as much of a head-start on trouble makers as possible.  

At the current time we don't know that the issue is exploitable. The class of issue and the overall paranoid design of the reference client make it hard to tell for sure. It is probably hard to exploit if it is exploitable at all.  Because of the potential seriousness the issue has been dealt with promptly and as if it were exploitable. (I'm not answering the specific timing questions because they may identify the issue too clearly).

If the issue turns out to be practically exploitable we'd much rather learn of it as a purely academic fact— academic because almost all impacted users had already applied fixes—  a few weeks from now, than learn about that in the form of hundreds of wallets being stolen through an exploit in the next few days.

I always encourage people to review the git history, but if you spot the fix for this issue— please don't point it out yet (and I will remove posts that do), if you like you can contact me privately and I'll gladly tell everyone how smart you were later. Smiley —  Reviewing the commits is generally good advice it's always good to have more eyes on the code, and even if you don't satisfy your curiosity with respect to this issue you may learn something else useful.

1398318581
Hero Member
*
Offline Offline

Posts: 1398318581

View Profile Personal Message (Offline)

Ignore
1398318581
Reply with quote  #2

1398318581
Report to moderator
1398318581
Hero Member
*
Offline Offline

Posts: 1398318581

View Profile Personal Message (Offline)

Ignore
1398318581
Reply with quote  #2

1398318581
Report to moderator
Buy a Blade, Get a 5-Chip Free!
Start Mining with GAWMiners.com
24/7 Live Phone & Tech Support
Free Hosting & Electricity for 1 Year!

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398318581
Hero Member
*
Offline Offline

Posts: 1398318581

View Profile Personal Message (Offline)

Ignore
1398318581
Reply with quote  #2

1398318581
Report to moderator
1398318581
Hero Member
*
Offline Offline

Posts: 1398318581

View Profile Personal Message (Offline)

Ignore
1398318581
Reply with quote  #2

1398318581
Report to moderator
1398318581
Hero Member
*
Offline Offline

Posts: 1398318581

View Profile Personal Message (Offline)

Ignore
1398318581
Reply with quote  #2

1398318581
Report to moderator
hongus
Full Member
***
Offline Offline

Activity: 184


1hongus


View Profile

Ignore
March 17, 2012, 03:55:07 AM
 #22

So if I have 0.5.3.1-beta I'm safe?

1HoNGusEgzyXfvQnxHrJjx4bunJRf9pK19
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
March 17, 2012, 04:02:52 AM
 #23

So if I have 0.5.3.1-beta I'm safe?

Yes. 0.5.3.1 is the fixed version of 0.5.3.
Killdozer
Full Member
***
Offline Offline

Activity: 204



View Profile

Ignore
March 17, 2012, 09:05:46 AM
 #24

Quote
about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area.

This is nonsense. If anything, more advanced languages can have their own vulnerabilities which could bitcoin vulnerable without any mistakes acutally made by the developers. This is almost impossible with a low level language like c++.
Apart from that, a program's security does not depend on the language, it depends on the coding.

defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile

Ignore
March 17, 2012, 09:31:30 AM
 #25


Apart from that, a program's security does not depend on the language, it depends on the coding.

All software developers of any experience and educational background will tell you that programs will always have bugs. It's simply impossible to provable test all possible pathways as soon as you venture beyond Hello World type complexity.

Thus it's better to use a programming and execution environment that protects you, as far as possible, when those bugs are found.

Schwede65
Sr. Member
****
Offline Offline

Activity: 300


View Profile

Ignore
March 17, 2012, 09:38:13 AM
 #26

only a question of a solo-mining-noob:

does an update effect the number of done shares to find a btc-block?

example: i have done 140.000 shares with 0.5.2
what will be there for me with update to 0.5.3.1 - start at share number 0 - without the 140.000?
psiborg
Newbie
*
Offline Offline

Activity: 25


View Profile

Ignore
March 17, 2012, 09:40:05 AM
 #27

If anything, more advanced languages can have their own vulnerabilities which could bitcoin vulnerable without any mistakes acutally made by the developers. This is almost impossible with a low level language like c++.
Apart from that, a program's security does not depend on the language, it depends on the coding.
Or on the (coding of the) language as you stated just earlier Wink
I'm using the anonymity patched bitcoin client (https://bitcointalk.org/index.php?topic=24784.0), hope they get their security patches too.
wachtwoord
Hero Member
*****
Offline Offline

Activity: 896



View Profile WWW

Ignore
March 17, 2012, 09:57:02 AM
 #28

So if I have 0.5.3.1-beta I'm safe?

Yes. 0.5.3.1 is the fixed version of 0.5.3.


What about 0.5.1-beta? (this versioning numbering is quite confusing)

✰ Scared Money Don't Make No Money | PrimeDice.com | The New Way To Roll *Thread*
I now do Bitcoin consultancy! PM to discuss terms.
Selling my signature space! PM to discuss terms.
eeb227823edc2ef43867d2640d26615cb7a3b2194af128c97b5f64770d367ba4
wumpus
Hero Member
*****
Offline Offline

Activity: 644

No Maps for These Territories


View Profile

Ignore
March 17, 2012, 10:08:44 AM
 #29

0.5.1 (-beta) is *not* safe.

only 0.5.3.1 and 0.6.0pre4 are safe right now. As for next versions, 0.5.4 and 0.6.0 (final) and so on will also be safe.

All bitcoin versions have -beta added in the "About" dialog as a statement about the current phase of the project, not about the current version.


Bitcoin Core developer [PGP]  Tips: 1L125pF2e7himW43Qu752ZFLtBLicxQmng Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
malevolent
Hypernode
Global Moderator
Hero Member
*
Offline Offline

Activity: 1050


View Profile

Ignore
March 17, 2012, 10:36:46 AM
 #30

I always encourage people to review the git history, but if you spot the fix for this issue— please don't point it out yet (and I will remove posts that do)

Shouldn't you adher to full disclosure policy? This would actually encourage people to update.
TheSeven
Hero Member
*****
Offline Offline

Activity: 504


FPGA Mining LLC


View Profile WWW

Ignore
March 17, 2012, 10:38:22 AM
 #31

only a question of a solo-mining-noob:

does an update effect the number of done shares to find a btc-block?

example: i have done 140.000 shares with 0.5.2
what will be there for me with update to 0.5.3.1 - start at share number 0 - without the 140.000?

There is no such thing as shares when you are solo mining, so updating won't affect your solo mining income.

My tip jar: 13kwqR7B4WcSAJCYJH1eXQcxG5vVUwKAqY
Gabi
Hero Member
*****
Offline Offline

Activity: 1050


View Profile

Ignore
March 17, 2012, 12:59:28 PM
 #32

Updated, i have 0.6rc4 now

I wonder what happens now with older wallets...
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
March 17, 2012, 01:17:55 PM
 #33

Shouldn't you adher to full disclosure policy? This would actually encourage people to update.

If you look a discussion about full disclosure you'll see that much of the discussion is completely moot when the "vendors" of the software are also the discoverers of the issue.  There also isn't much more that could be disclosed right now.

Luke-Jr
Hero Member
*****
Offline Offline

Activity: 1218



View Profile

Ignore
March 17, 2012, 01:47:00 PM
 #34

It's simply impossible to provable test all possible pathways as soon as you venture beyond Hello World type complexity.
It actually isn't impossible, just complex enough it hasn't been accomplished yet. It's quite possible to write a specialized emulator that follows every possible code-path with "quantum" memory states...

coderrr
Member
**
Offline Offline

Activity: 63


View Profile WWW

Ignore
March 17, 2012, 01:48:30 PM
 #35

If anything, more advanced languages can have their own vulnerabilities which could bitcoin vulnerable without any mistakes acutally made by the developers. This is almost impossible with a low level language like c++.
Apart from that, a program's security does not depend on the language, it depends on the coding.
Or on the (coding of the) language as you stated just earlier Wink
I'm using the anonymity patched bitcoin client (https://bitcointalk.org/index.php?topic=24784.0), hope they get their security patches too.

I don't have any info on the vuln or code for the patch.  So I'd advise you not to use my patched binaries until the vuln and fix have been disclosed and I can compile new ones.

Co-Founder of Private Internet Access VPN Service
Original Co-Founder of MtGox Live and BTC.to
Original Developer of the Bitcoin Anonymity Patch
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile

Ignore
March 17, 2012, 02:03:00 PM
 #36

It actually isn't impossible, just complex enough it hasn't been accomplished yet.

It's impossible in the same way as brute forcing a 128 bit UUID is impossible Smiley E.g. in our relevant universe.

(And enough so for the discussion at hand)
Luke-Jr
Hero Member
*****
Offline Offline

Activity: 1218



View Profile

Ignore
March 17, 2012, 02:10:39 PM
 #37

If anything, more advanced languages can have their own vulnerabilities which could bitcoin vulnerable without any mistakes acutally made by the developers. This is almost impossible with a low level language like c++.
Apart from that, a program's security does not depend on the language, it depends on the coding.
Or on the (coding of the) language as you stated just earlier Wink
I'm using the anonymity patched bitcoin client (https://bitcointalk.org/index.php?topic=24784.0), hope they get their security patches too.

I don't have any info on the vuln or code for the patch.  So I'd advise you not to use my patched binaries until the vuln and fix have been disclosed and I can compile new ones.
Dev team is doing builds of 0.5.3+coderrr with the fix applied; should be available later today.

malevolent
Hypernode
Global Moderator
Hero Member
*
Offline Offline

Activity: 1050


View Profile

Ignore
March 17, 2012, 03:26:10 PM
 #38

Shouldn't you adher to full disclosure policy? This would actually encourage people to update.

If you look a discussion about full disclosure you'll see that much of the discussion is completely moot when the "vendors" of the software are also the discoverers of the issue.  There also isn't much more that could be disclosed right now.



 Smiley
Luke-Jr
Hero Member
*****
Offline Offline

Activity: 1218



View Profile

Ignore
March 17, 2012, 03:52:12 PM
 #39

You have to be god-like to not create security vulnerabilities in significantly C/C++ software.  'Direct' buffer overflows can be avoided by littering your code with meticulous boiler plate (and praying you haven't made a mistake somewhere).  But integer overflows leading to buffer overflows are so hopelessly trickly that I have no faith in any C/C++ being safe.

Java buffer overflows simply don't exist... a huge class of exploit eradicated by language choice.  And there's a long list of languages immune to buffer overflows (this is mostly a glaring hole in C/C++).  Look up US military/intelligence mandates about language choice.  C/C++ is so bad that it should be immediately abandoned and _never_ used for _anything_.  Why do you think computer security is such a disaster (it was all C/C++ until the recent xss/xsrf/sql havoc - and that too is a design flaw).
Guess what language Java/Python/etc are implemented it.

grue
Staff
Hero Member
*****
Offline Offline

Activity: 1036


It is pitch black. You are likely to be eaten by a grue.


View Profile

Ignore
March 17, 2012, 04:25:51 PM
 #40

Java/Python/Ruby/Lisp buffer overflows simply don't exist... a huge class of exploit eradicated by language choice.  And there's a long list of languages immune to buffer overflows (this is mostly a glaring hole in C/C++).  Look up US military/intelligence mandates about language choice.  C/C++ is so bad that it should be immediately abandoned and _never_ used for _anything_.  Why do you think computer security is such a disaster (it was all C/C++ until the recent xss/xsrf/sql havoc - and that too is a design flaw).
I tried looking it up, but I could only find some random articles about switching to ada, but nothing stating that "C/C++ is so bad that it should be immediately abandoned and _never_ used for _anything_" . Can you point to the article claiming that?

1ELvnrA6PhUyDBS6iR25K1Xx4xXL6VMfJX
Pages: 1 [2] 3 4 5  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!