Arch Linux 804 Published by

The following two security updates has been released for Arch Linux:

ASA-201809-1: bitcoin-daemon: denial of service
ASA-201809-2: bitcoin-qt: denial of service



ASA-201809-1: bitcoin-daemon: denial of service

Arch Linux Security Advisory ASA-201809-1
=========================================

Severity: Medium
Date : 2018-09-22
CVE-ID : CVE-2018-17144
Package : bitcoin-daemon
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-766

Summary
=======

The package bitcoin-daemon before version 0.16.3-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 0.16.3-1.

# pacman -Syu "bitcoin-daemon>=0.16.3-1"

The problem has been fixed upstream in version 0.16.3.

Workaround
==========

None.

Description
===========

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x
before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3
allow a remote denial of service (application crash) exploitable by
miners via duplicate input.
Any attempts to double-spend a transaction output within a single
transaction inside of a block where the output being spent was created
in the same block, the same assertion failure will occur (as exists in
the test case which was included in the 0.16.3 patch). However, if the
output being double-spent was created in a previous block, an entry
will still remain in the CCoin map with the DIRTY flag set and having
been marked as spent, resulting in no such assertion. This could allow
a miner to inflate the supply of Bitcoin as they would then be able to
claim the value being spent twice.

Impact
======

A remote attacker is able to crash the bitcoin-daemon or the bitcoin-qt
application. This vulnerability could allow a miner to inflate the
supply of Bitcoin as they would then be able to claim value being spent
twice.

References
==========

https://bitcoincore.org/en/2018/09/20/notice/
https://security.archlinux.org/CVE-2018-17144


ASA-201809-2: bitcoin-qt: denial of service

Arch Linux Security Advisory ASA-201809-2
=========================================

Severity: Medium
Date : 2018-09-22
CVE-ID : CVE-2018-17144
Package : bitcoin-qt
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-766

Summary
=======

The package bitcoin-qt before version 0.16.3-1 is vulnerable to denial
of service.

Resolution
==========

Upgrade to 0.16.3-1.

# pacman -Syu "bitcoin-qt>=0.16.3-1"

The problem has been fixed upstream in version 0.16.3.

Workaround
==========

None.

Description
===========

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x
before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3
allow a remote denial of service (application crash) exploitable by
miners via duplicate input.
Any attempts to double-spend a transaction output within a single
transaction inside of a block where the output being spent was created
in the same block, the same assertion failure will occur (as exists in
the test case which was included in the 0.16.3 patch). However, if the
output being double-spent was created in a previous block, an entry
will still remain in the CCoin map with the DIRTY flag set and having
been marked as spent, resulting in no such assertion. This could allow
a miner to inflate the supply of Bitcoin as they would then be able to
claim the value being spent twice.

Impact
======

A remote attacker is able to crash the bitcoin-daemon or the bitcoin-qt
application. This vulnerability could allow a miner to inflate the
supply of Bitcoin as they would then be able to claim value being spent
twice.

References
==========

https://bitcoincore.org/en/2018/09/20/notice/
https://security.archlinux.org/CVE-2018-17144