Bitcoin Forum
December 05, 2016, 04:35:43 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 »  All
  Print  
Author Topic: URGENT: Windows Bitcoin-Qt update  (Read 24792 times)
Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
March 19, 2012, 04:40:41 PM
 #61

FYI, Windows binaries from the 0.6.0rc4 source (in git) will not get you a fixed build.

Why's that?  The v0.6.0rc4 tag includes the -lmingwthrd fix.

When I first saw your post I figured I must have guessed wrongly what the update was all about, because the changes for safe multi-threading in mingw were included in the rc4 source.
The v0.6.0rc4 tag includes the fix, but it removes -lmingw only in the gitian build of Qt. Since it doesn't also change the filename, there is a probability anyone using gitian will not rebuild Qt; they, and non-gitian builders, will therefore not get the change. I submitted a pull request to move the change to bitcoin-qt.pro where it belongs, and incorporated this into the v0.5.3.1 tag.

While it would be possible (and in the case of the binaries, was done) to build v0.6.0rc4 with the adjusted Qt, doing so required inside knowledge of the fix, and could not be explained without disclosing the nature of the security issue; therefore, I stuck with a blanket "will not" to be on the safe side.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480912543
Hero Member
*
Offline Offline

Posts: 1480912543

View Profile Personal Message (Offline)

Ignore
1480912543
Reply with quote  #2

1480912543
Report to moderator
1480912543
Hero Member
*
Offline Offline

Posts: 1480912543

View Profile Personal Message (Offline)

Ignore
1480912543
Reply with quote  #2

1480912543
Report to moderator
Schwede65
Sr. Member
****
Offline Offline

Activity: 309


View Profile
March 19, 2012, 10:24:39 PM
 #62


now please for the non-coders:

are the the posted (above) windows-binaries safe?
Pieter Wuille
Legendary
*
Offline Offline

Activity: 1036


View Profile WWW
March 19, 2012, 10:25:49 PM
 #63


Yes.

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
Nyaaan
Full Member
***
Offline Offline

Activity: 140


View Profile WWW
March 22, 2012, 01:33:23 PM
 #64

Quote
about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area.

This is nonsense. If anything, more advanced languages can have their own vulnerabilities which could bitcoin vulnerable without any mistakes acutally made by the developers. This is almost impossible with a low level language like c++.
Apart from that, a program's security does not depend on the language, it depends on the coding.

I'm sorry but you are completely wrong here.

You have to be god-like to not create security vulnerabilities in significantly C/C++ software.  'Direct' buffer overflows can be avoided by littering your code with meticulous boiler plate (and praying you haven't made a mistake somewhere).  But integer overflows leading to buffer overflows are so hopelessly trickly that I have no faith in any C/C++ being safe.

Java/Python/Ruby/Lisp buffer overflows simply don't exist... a huge class of exploit eradicated by language choice.  And there's a long list of languages immune to buffer overflows (this is mostly a glaring hole in C/C++).  Look up US military/intelligence mandates about language choice.  C/C++ is so bad that it should be immediately abandoned and _never_ used for _anything_.  Why do you think computer security is such a disaster (it was all C/C++ until the recent xss/xsrf/sql havoc - and that too is a design flaw).

That you think "this is nonsense" means that your own code is already insecure, and you just don't know it.


+1

C++ used to be my favorite language... until I learned Lisp and Python.

Now my foot is finally recovering from being shot too many times

I think you mean your knee.

Also, thank you for the fix, developers.
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
March 23, 2012, 03:23:20 AM
 #65



Anyone else having this problem?

Diapolo
Hero Member
*****
Offline Offline

Activity: 769



View Profile WWW
March 23, 2012, 05:53:12 AM
 #66



Anyone else having this problem?

You could try this, perhaps it's related: https://bitcointalk.org/index.php?topic=66887.msg779221#msg779221

Dia

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
March 23, 2012, 05:59:25 AM
 #67


You could try this, perhaps it's related: https://bitcointalk.org/index.php?topic=66887.msg779221#msg779221

Dia
I just tried that, seemed to make it worse. Looked into the logs (new information after what Diapolo said to do), said something about the indexing.
So, I am re-building my blkindex.dat.
I'll post what I find.

JackH
Sr. Member
****
Offline Offline

Activity: 355


View Profile
March 24, 2012, 11:53:07 AM
 #68

Is this affecting Bitcoin version 0.3.21?

<helo> funny that this proposal grows the maximum block size to 8GB, and is seen as a compromise
<helo> oh, you don't like a 20x increase? well how about 8192x increase?
<JackH> lmao
Vandroiy
Legendary
*
Offline Offline

Activity: 1036


View Profile
March 24, 2012, 01:53:11 PM
 #69

+1 for an implementation in a safer language.

I keep saying the same thing; it's just absurd to use a highspeed-hacker-language for financial transactions.

We need another client for broad usage. If everyone hates Mono so much, well then use Java or something, but not something that cares little about type safety, operates directly on memory pointers etc. Think aspect-oriented programming, contracts, this is the kind of stuff we need, and it's as far from C++ as you get.
Pieter Wuille
Legendary
*
Offline Offline

Activity: 1036


View Profile WWW
March 24, 2012, 01:57:09 PM
 #70

Is this affecting Bitcoin version 0.3.21?

No, only windows version of Bitcoin-Qt are affected, a GUI that was only merged in 0.5.0.

However, it's generally a bad idea to keep using such old versions...

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
March 24, 2012, 02:02:09 PM
 #71

Is this affecting Bitcoin version 0.3.21?
Not this, but 0.3.* are not maintained and have several security and other bugs. Upgrade to at least 0.4.4.

Diapolo
Hero Member
*****
Offline Offline

Activity: 769



View Profile WWW
March 24, 2012, 02:08:05 PM
 #72

+1 for an implementation in a safer language.

I keep saying the same thing; it's just absurd to use a highspeed-hacker-language for financial transactions.

We need another client for broad usage. If everyone hates Mono so much, well then use Java or something, but not something that cares little about type safety, operates directly on memory pointers etc. Think aspect-oriented programming, contracts, this is the kind of stuff we need, and it's as far from C++ as you get.

I hate Java more than Python, than Basic ... Windows is written in what language? Linux kernel is written in?

Dia

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
Pieter Wuille
Legendary
*
Offline Offline

Activity: 1036


View Profile WWW
March 24, 2012, 02:14:04 PM
 #73

+1 for an implementation in a safer language.

I keep saying the same thing; it's just absurd to use a highspeed-hacker-language for financial transactions.

We need another client for broad usage. If everyone hates Mono so much, well then use Java or something, but not something that cares little about type safety, operates directly on memory pointers etc. Think aspect-oriented programming, contracts, this is the kind of stuff we need, and it's as far from C++ as you get.

I hate Java more than Python, than Basic ... Windows is written in what language? Linux kernel is written in?

Dia

Can you please stop discussing what language Bitcoin clients are supposed to be written in? This thread is about the specific security problem found here.

Start a discussion in the dev section, if you like a language flamewar.

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
March 26, 2012, 09:16:58 PM
 #74

FWIW, this issue has been assigned CVE-2012-1910

Diapolo
Hero Member
*****
Offline Offline

Activity: 769



View Profile WWW
March 27, 2012, 05:23:08 AM
 #75

FWIW, this issue has been assigned CVE-2012-1910

That's a great step, it would be even better to link the advisory. One I found by that number was for JavaRE and the other for Bind DNS :-/.

Dia

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
March 27, 2012, 05:24:11 AM
 #76

FWIW, this issue has been assigned CVE-2012-1910

That's a great step, it would be even better to link the advisory. One I found by that number was for JavaRE and the other for Bind DNS :-/.

Dia
This thread is the advisory...

Diapolo
Hero Member
*****
Offline Offline

Activity: 769



View Profile WWW
March 27, 2012, 05:27:14 AM
 #77

FWIW, this issue has been assigned CVE-2012-1910

That's a great step, it would be even better to link the advisory. One I found by that number was for JavaRE and the other for Bind DNS :-/.

Dia
This thread is the advisory...

Then who did chose that CVE numbers? I thought these numbers were assigned by an external company or organisation ... my fault then.

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
Pieter Wuille
Legendary
*
Offline Offline

Activity: 1036


View Profile WWW
March 27, 2012, 02:20:12 PM
 #78

The numbers are chosen by an external advisory yes, but apparently it's just a number to identify the problem.

I think it'd be a little more useful if information about the issue could actually be found in online databases directly about it.

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
Diapolo
Hero Member
*****
Offline Offline

Activity: 769



View Profile WWW
March 27, 2012, 02:35:27 PM
 #79

The numbers are chosen by an external advisory yes, but apparently it's just a number to identify the problem.

I think it'd be a little more useful if information about the issue could actually be found in online databases directly about it.

I had exactly this in my mind Smiley, a public database, an external given ID and independent information about issues.

Dia

Liked my former work for Bitcoin Core? Drop me a donation via:
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
fabrizziop
Hero Member
*****
Offline Offline

Activity: 602



View Profile
April 01, 2012, 01:28:41 AM
 #80

Is it safe to use the 0.6.0 version?, newly released.
Pages: « 1 2 3 [4] 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!