Author: Bryan Bishop 2018-09-26 03:40:32
Published on: 2018-09-26T03:40:32+00:00
A vulnerability was reported to the bitcoin-dev mailing list on September 17th, regarding a denial of service bug. However, it was quickly determined that the issue was also an inflation vulnerability with the same root cause and fix. In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade. The bug was fixed in Bitcoin Core versions 0.16.3 and 0.17.0rc4.The technical details of CVE-2018-17144 are explained in the blog post. In brief, in Bitcoin Core 0.14.X, any attempts to double-spend a transaction output within a single transaction inside of a block will result in an assertion failure and a crash, as was originally reported. In Bitcoin Core 0.15.X, 0.16.0, 0.16.1, and 0.16.2, any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). A timeline for the discovery and response to the vulnerability is also provided. On September 20, 2018, David Jaenson independently discovered the vulnerability, and it was reported to the Bitcoin Core security contact email. It's critical to affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs.
Updated on: 2023-05-20T17:49:44.384012+00:00