1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
Return-Path: <michaelfolkson@protonmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
by lists.linuxfoundation.org (Postfix) with ESMTP id AE907C002A
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:18:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 7BF7483CAB
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:18:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7BF7483CAB
Authentication-Results: smtp1.osuosl.org;
dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
header.a=rsa-sha256 header.s=protonmail3 header.b=E0b/Z1u/
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 8cSATVzcUOda
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:18:10 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1D4A783CA7
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16])
by smtp1.osuosl.org (Postfix) with ESMTPS id 1D4A783CA7
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 23 May 2023 16:18:09 +0000 (UTC)
Date: Tue, 23 May 2023 16:17:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1684858687; x=1685117887;
bh=qD8Qb5R9+qH9eKDr5xeC563AZJ79QfQZ1wi1l/QtpoI=;
h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector;
b=E0b/Z1u/rPyyhYlJthZxxkQEaElhOnBAQKxxUTzygg03oEgDNY1YwZSsMJ2lUmFwM
3ayoJgxCIL0SaH7zOsgSLeJBUXdzO7yNDJPyapK054OHI8aWYAyPbq1czAPAEGsZLI
d9dlDSXvf0xbvVUiOPhZ+JS7j5qTuw626mLDqRnEPNcKuDgFF8c+iP3+wcpcYT5nCj
CxuMoOfBXH9rmHs/uCL74fdT0YgeGkUgkXE1npR+hCvmpYtnmRlJgx7rdnOcJofCAy
Pf+OkKyu1acjmNRqhypL0Jarukp4iHqFErUuIm3CDMHSHzsZWn8hsfiSACaAebeW50
9BVK/mF3PpMBw==
To: alicexbt <alicexbt@protonmail.com>
From: Michael Folkson <michaelfolkson@protonmail.com>
Message-ID: <ZK1WioZUQp4XKBw9a8RxvLRRtlxsnQ8NoZ5SPIbcMVqeW3D9bpnLeJF2V4L68jz3QVaaqYiBbo46Rxobs8hZ9LfK3Jxibi1HHKBgQiqbCUs=@protonmail.com>
In-Reply-To: <yCRGs9ve5782SDi1mdGMA1x1jOeJzBkfsWJxtFD3gcrPHI7WW2Ah3Qn9_Z1f17pGFAfC4DIx8fnLUMggrRdq0kfYRlJxpgLt_qJ7wSVC9t0=@protonmail.com>
References: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com>
<I_QFh8MNIEz819n0dEitgXPmS5jfrYkOxTZoo211l1grYmW3yrDYxkso9XSrqLS26WJVXj0LAIpYe77DwWs7sXClVjz_Oz-lQiOV3Hn1U2Y=@protonmail.com>
<k95MsgwJmus2shEQ3XcON4sPN2jpvN0NOiVuIUk27H-gQno3iH4XEMH_nyaKzUuCM8KKt63qM8cph6Eai7fCgWRxfTdYnKdfVw0i2NZTTf0=@protonmail.com>
<v7cGm-OTbNjvVuGJ8xMe1pOiBwVH1BZkJMS6DjcK5j9kMHmeCRhKrpbglugLPjyUQmDSzIXNxGz4k-kK4sjkIHgWrbaiO_93qauVKSJzZmY=@protonmail.com>
<yCRGs9ve5782SDi1mdGMA1x1jOeJzBkfsWJxtFD3gcrPHI7WW2Ah3Qn9_Z1f17pGFAfC4DIx8fnLUMggrRdq0kfYRlJxpgLt_qJ7wSVC9t0=@protonmail.com>
Feedback-ID: 27732268:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 23 May 2023 16:37:29 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 16:18:11 -0000
Hi alicexbt
> It has been assigned CVE-2023-33297
Did you personally request the CVE ID? Say via here [0]? Did you confirm wi=
th someone listed on the vulnerability reporting process [1] for Bitcoin Co=
re that it made sense to do that at this time? I'm not sure whether complet=
ely bypassing that list and requesting CVE IDs for the project as an indivi=
dual is the way to go. If you have already contacted one of them and they'v=
e given you the go ahead to start the CVE process then fine. You weren't pa=
rticularly clear with what has occurred.
Thanks
Michael
[0]: https://cve.mitre.org/cve/request_id.html
[1]: https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md
--
Michael Folkson
Email: michaelfolkson at protonmail.com
GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
------- Original Message -------
On Monday, May 22nd, 2023 at 13:56, alicexbt <alicexbt@protonmail.com> wrot=
e:
> Hi Michael,
>=20
> > Now that's not to say you may not have a point about better documentati=
on and guidance on what should go through the vulnerability reporting proce=
ss and what shouldn't.
>=20
>=20
> Yes, this can be improved.
>=20
> > Or even that this particular issue could ultimately end up being classe=
d a CVE.
>=20
>=20
> It has been assigned CVE-2023-33297
>=20
>=20
> /dev/fd0
> floppy disk guy
>=20
> Sent with Proton Mail secure email.
>=20
> ------- Original Message -------
> On Wednesday, May 17th, 2023 at 6:14 PM, Michael Folkson michaelfolkson@p=
rotonmail.com wrote:
>=20
>=20
>=20
> > Hi alicexbt
> >=20
> > "Open source" has the word "open" in it. Pushing everything into closed=
, private channels of communication and select groups of individuals is wha=
t I've been trying to push back upon. As I said in my initial response "it =
doesn't scale for all bug reports and investigations to go through this tin=
y funnel" though "there are clearly examples where the process is criticall=
y needed".
> >=20
> > Now that's not to say you may not have a point about better documentati=
on and guidance on what should go through the vulnerability reporting proce=
ss and what shouldn't. Or even that this particular issue could ultimately =
end up being classed a CVE. But rather than merely complaining and putting =
"open source" into quote marks perhaps suggest what class of bug reports sh=
ould go through the tiny funnel and what shouldn't. Unless you think everyt=
hing should go through the funnel in which case you are advocating for less=
openness whilst simultaneously complaining it isn't "open source". Square =
that circle.
> >=20
> > Thanks
> > Michael
> >=20
> > --
> > Michael Folkson
> > Email: michaelfolkson at protonmail.com
> > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
> >=20
> > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
> >=20
> > ------- Original Message -------
> > On Tuesday, May 16th, 2023 at 23:39, alicexbt alicexbt@protonmail.com w=
rote:
> >=20
> > > Hi Michael,
> > >=20
> > > A disagreement and some thoughts already shared in an email although =
its not clear to some "open source" devs:
> > >=20
> > > Impact of this vulnerability:
> > >=20
> > > - Denial of Service
> > > - Stale blocks affecting mining pool revenue
> > >=20
> > > Why it should have been reported privately to security@bitcoincore.or=
g, even if initially found affecting only debug build?
> > >=20
> > > Example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-31=
29
> > >=20
> > > CVE is a different process and I am aware of it. It would be good for=
certain developers in the core team to reflect on their own approach to se=
curity, regardless of whether their work receives CVE recognition or not.
> > >=20
> > > /dev/fd0
> > > floppy disk guy
> > >=20
> > > Sent with Proton Mail secure email.
> > >=20
> > > ------- Original Message -------
> > > On Friday, May 12th, 2023 at 1:14 AM, Michael Folkson michaelfolkson@=
protonmail.com wrote:
> > >=20
> > > > Hi alicexbt
> > > >=20
> > > > The vulnerability reporting process requires communication and reso=
lution via a small group of individuals 0 rather than through open collabor=
ation between any contributors on the repo. There are clearly examples wher=
e the process is critically needed, the most obvious past example being the=
2018 inflation bug 1. However, it doesn't scale for all bug reports and in=
vestigations to go through this tiny funnel. For an issue that isn't going =
to result in loss of onchain funds and doesn't seem to present a systemic i=
ssue (e.g. network DoS attack, inflation bug) I'm of the view that opening =
a public issue was appropriate in this case especially as the issue initial=
ly assumed it was only impacting nodes running in debug mode (not a mode a =
node in production is likely to be running in).
> > > >=20
> > > > An interesting question though and I'm certainly happy to be correc=
ted by those who have been investigating the issue. Some delicate trade-off=
s involved including understanding and resolving the issue faster through w=
ider collaboration versus keeping knowledge of the issue within a smaller g=
roup.
> > > >=20
> > > > Thanks
> > > > Michael
> > > >=20
> > > > --
> > > > Michael Folkson
> > > > Email: michaelfolkson at protonmail.com
> > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
> > > >=20
> > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
> > > >=20
> > > > ------- Original Message -------
> > > > On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev bitcoi=
n-dev@lists.linuxfoundation.org wrote:
> > > >=20
> > > > > Hi Bitcoin Developers,
> > > > >=20
> > > > > There is an open issue in bitcoin core repository which was creat=
ed last week: https://github.com/bitcoin/bitcoin/issues/27586
> > > > >=20
> > > > > I think this should have been reported privately as vulnerability=
instead of creating a GitHub issue even if it worked only in debug mode. S=
ome users in the comments have also experienced similar issues without debu=
g build used for bitcoind. I have not noticed any decline in the number of =
listening nodes on bitnodes.io in last 24 hours so I am assuming this is no=
t an issue with majority of bitcoin core nodes. However, things could have =
been worse and there is nothing wrong in reporting something privately if t=
here is even 1% possibility of it being a vulnerability. I had recently rep=
orted something to LND security team based on a closed issue on GitHub whic=
h eventually was not considered a vulnerability: https://github.com/lightni=
ngnetwork/lnd/issues/7449
> > > > >=20
> > > > > In the CPU usage issue, maybe the users can run bitcoind with big=
ger mempool or try other things shared in the issue by everyone.
> > > > >=20
> > > > > This isn't the first time either when vulnerability was reported =
publicly: https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9 and=
this was even exploited on mainnet which affected some projects.
> > > > >=20
> > > > > This email is just a request to consider the impact of any vulner=
ability if gets exploited could affect lot of things. Even the projects wit=
h no financial activity involved follow better practices.
> > > > >=20
> > > > > /dev/fd0
> > > > > floppy disk guy
> > > > >=20
> > > > > Sent with Proton Mail secure email.
|