Pieter Wuille
Legendary
 Offline
Activity: 1072
Merit: 1174
|
 |
March 19, 2012, 10:25:49 PM |
|
now please for the non-coders: are the the posted (above) windows-binaries safe? Yes. |
I do Bitcoin stuff.
|
|
|
|
|
|
|
|
|
|
|
|
The grue lurks in the darkest places of the earth. Its favorite diet is adventurers, but its insatiable appetite is tempered by its fear of light. No grue has ever been seen by the light of day, and few have survived its fearsome jaws to tell the tale.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
Nyaaan
|
|
March 22, 2012, 01:33:23 PM |
|
about 3 days ago i was commenting on the language choice.
from a software architecture standpoint other languages than c++ would make more sense in such a sensitive area. This is nonsense. If anything, more advanced languages can have their own vulnerabilities which could bitcoin vulnerable without any mistakes acutally made by the developers. This is almost impossible with a low level language like c++. Apart from that, a program's security does not depend on the language, it depends on the coding. I'm sorry but you are completely wrong here. You have to be god-like to not create security vulnerabilities in significantly C/C++ software. 'Direct' buffer overflows can be avoided by littering your code with meticulous boiler plate (and praying you haven't made a mistake somewhere). But integer overflows leading to buffer overflows are so hopelessly trickly that I have no faith in any C/C++ being safe. Java/Python/Ruby/Lisp buffer overflows simply don't exist... a huge class of exploit eradicated by language choice. And there's a long list of languages immune to buffer overflows (this is mostly a glaring hole in C/C++). Look up US military/intelligence mandates about language choice. C/C++ is so bad that it should be immediately abandoned and _never_ used for _anything_. Why do you think computer security is such a disaster (it was all C/C++ until the recent xss/xsrf/sql havoc - and that too is a design flaw). That you think "this is nonsense" means that your own code is already insecure, and you just don't know it. +1 C++ used to be my favorite language... until I learned Lisp and Python. Now my foot is finally recovering from being shot too many timesI think you mean your knee. Also, thank you for the fix, developers. |
|
|
|
|
|
NothinG
|
|
March 23, 2012, 03:23:20 AM |
|
 Anyone else having this problem? |
|
|
|
|
|
|
NothinG
|
|
March 23, 2012, 05:59:25 AM |
|
I just tried that, seemed to make it worse. Looked into the logs (new information after what Diapolo said to do), said something about the indexing. So, I am re-building my blkindex.dat. I'll post what I find. |
|
|
|
|
JackH
|
|
March 24, 2012, 11:53:07 AM |
|
Is this affecting Bitcoin version 0.3.21?
|
<helo> funny that this proposal grows the maximum block size to 8GB, and is seen as a compromise
<helo> oh, you don't like a 20x increase? well how about 8192x increase?
<JackH> lmao
|
|
|
Vandroiy
Legendary
Offline
Activity: 1036
Merit: 1002
|
|
March 24, 2012, 01:53:11 PM |
|
+1 for an implementation in a safer language.
I keep saying the same thing; it's just absurd to use a highspeed-hacker-language for financial transactions.
We need another client for broad usage. If everyone hates Mono so much, well then use Java or something, but not something that cares little about type safety, operates directly on memory pointers etc. Think aspect-oriented programming, contracts, this is the kind of stuff we need, and it's as far from C++ as you get.
|
|
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1174
|
|
March 24, 2012, 01:57:09 PM |
|
Is this affecting Bitcoin version 0.3.21?
No, only windows version of Bitcoin-Qt are affected, a GUI that was only merged in 0.5.0. However, it's generally a bad idea to keep using such old versions... |
I do Bitcoin stuff.
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
March 24, 2012, 02:02:09 PM |
|
Is this affecting Bitcoin version 0.3.21?
Not this, but 0.3.* are not maintained and have several security and other bugs. Upgrade to at least 0.4.4. |
|
|
|
|
Diapolo
|
|
March 24, 2012, 02:08:05 PM |
|
+1 for an implementation in a safer language.
I keep saying the same thing; it's just absurd to use a highspeed-hacker-language for financial transactions.
We need another client for broad usage. If everyone hates Mono so much, well then use Java or something, but not something that cares little about type safety, operates directly on memory pointers etc. Think aspect-oriented programming, contracts, this is the kind of stuff we need, and it's as far from C++ as you get.
I hate Java more than Python, than Basic ... Windows is written in what language? Linux kernel is written in? Dia |
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1174
|
|
March 24, 2012, 02:14:04 PM |
|
+1 for an implementation in a safer language.
I keep saying the same thing; it's just absurd to use a highspeed-hacker-language for financial transactions.
We need another client for broad usage. If everyone hates Mono so much, well then use Java or something, but not something that cares little about type safety, operates directly on memory pointers etc. Think aspect-oriented programming, contracts, this is the kind of stuff we need, and it's as far from C++ as you get.
I hate Java more than Python, than Basic ... Windows is written in what language? Linux kernel is written in? Dia Can you please stop discussing what language Bitcoin clients are supposed to be written in? This thread is about the specific security problem found here. Start a discussion in the dev section, if you like a language flamewar. |
I do Bitcoin stuff.
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
March 26, 2012, 09:16:58 PM
Last edit: March 26, 2012, 10:27:28 PM by Luke-Jr |
|
FWIW, this issue has been assigned CVE-2012-1910
|
|
|
|
|
Diapolo
|
|
March 27, 2012, 05:23:08 AM |
|
FWIW, this issue has been assigned CVE-2012-1910
That's a great step, it would be even better to link the advisory. One I found by that number was for JavaRE and the other for Bind DNS :-/. Dia |
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
March 27, 2012, 05:24:11 AM |
|
FWIW, this issue has been assigned CVE-2012-1910
That's a great step, it would be even better to link the advisory. One I found by that number was for JavaRE and the other for Bind DNS :-/. Dia This thread is the advisory... |
|
|
|
|
Diapolo
|
|
March 27, 2012, 05:27:14 AM |
|
FWIW, this issue has been assigned CVE-2012-1910
That's a great step, it would be even better to link the advisory. One I found by that number was for JavaRE and the other for Bind DNS :-/. Dia This thread is the advisory... Then who did chose that CVE numbers? I thought these numbers were assigned by an external company or organisation ... my fault then. |
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1174
|
|
March 27, 2012, 02:20:12 PM |
|
The numbers are chosen by an external advisory yes, but apparently it's just a number to identify the problem.
I think it'd be a little more useful if information about the issue could actually be found in online databases directly about it.
|
I do Bitcoin stuff.
|
|
|
|
Diapolo
|
|
March 27, 2012, 02:35:27 PM |
|
The numbers are chosen by an external advisory yes, but apparently it's just a number to identify the problem.
I think it'd be a little more useful if information about the issue could actually be found in online databases directly about it.
I had exactly this in my mind  , a public database, an external given ID and independent information about issues. Dia |
|
|
|
|
fabrizziop
|
|
April 01, 2012, 01:28:41 AM |
|
Is it safe to use the 0.6.0 version?, newly released.
|
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
April 01, 2012, 01:41:18 AM |
|
Is it safe to use the 0.6.0 version?, newly released.
Yes |
|
|
|
|
