Ravencoin icon indicating copy to clipboard operation
Ravencoin copied to clipboard

Published 20 hours ago verified publisher icon RavenProject

Backports from Bitcoin

Open CharesFang opened this issue 3 years ago • 3 comments

We recently investigated the Bitcoin issues which are related to privacy protection, vulnerability patches, or security enhancements. We have also checked the Ravencoin source code. Results show that these issues and their PRs are not backported yet. Henceforth, we suggest that Ravencoin should backport the PRs listed below for the considerations of software security and integrity.

  • [x] Bitcoin PR#17906, avoid uninitialized reads.
  • [x] Bitcoin PR#16572, fix a Char variable used as Bool.
  • [ ] Bitcoin PR#16251, improve signrawtransacAtion error reporting.
  • [x] Bitcoin PR#15305, fix crash when disconnecting fail.
  • [ ] Bitcoin PR#15039, avoid leaking nLockTime fingerprint.
  • [x] Bitcoin PR#14993, fix data race in InterruptRPC().
  • [x] Bitcoin PR#14728, fix uninitialized read.
  • [x] Bitcoin PR#13907, introduce a maximum size for locators.
  • [ ] Bitcoin PR#13808, shuffle coins before grouping, for privacy protection.
  • [ ] Bitcoin PR#13683, avoid potential null pointer dereference.

Some of these issues and PRs are not severe security-related, but backports can avoid the chaos ecosystem of Bitcoin-forked projects and the potential vulnerabilities in the future.

Reported by de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc.

CharesFang avatar Dec 12 '21 08:12 CharesFang

I don't think point 9 is an issue.

We don't group like bitcoin. Grouping was introduced in https://github.com/bitcoin/bitcoin/pull/12257 We don't have that. Have not looked closely at it, but we could of course add an extra shuffle. Bitcoin does not do the extra shuffle unless -avoidpartialspends is enabled.

fdoving avatar Dec 23 '21 23:12 fdoving

Point 10 does not apply to Ravencoin. We have not yet merged https://github.com/bitcoin/bitcoin/commit/4279da47855ec776f8d57c6579fe89afc9cbe8c1 which is the commit this was introduced.

fdoving avatar Dec 24 '21 00:12 fdoving

Here is another Bitcoin patch that should be backported.

This PR#12172 fixed a problem that the RPC savemempool would lose some memory data, but it introduced another race condition problem in its patch PR#15323. So, I recommend that Ravencoin should backport these 2 PRs together.

CharesFang avatar Jan 13 '22 08:01 CharesFang