verifier.py: fix CVE-2012-2459: reject left-sibling duplicates#10568
Open
SomberNight wants to merge 1 commit intospesmilo:masterfrom
Open
verifier.py: fix CVE-2012-2459: reject left-sibling duplicates#10568SomberNight wants to merge 1 commit intospesmilo:masterfrom
SomberNight wants to merge 1 commit intospesmilo:masterfrom
Conversation
Due to how the txid-commitment merkle tree used in the block headers is constructed, we need an extra check to be able to validate the *position* of a txid in a block. I think this is low severity for us. See https://bitcointalk.org/?topic=102395 : > The Merkle hash implementation that Bitcoin uses to calculate the Merkle > root in a block header is flawed in that one can easily construct multiple > lists of hashes that map to the same Merkle root. > For example, merkle_hash([a, b, c]) and merkle_hash([a, b, c, c]) yield > the same result. This is because, at every iteration, the Merkle hash > function pads its intermediate list of hashes with the last hash if the > list is of odd length, in order to make it of even length. > > And so, the Merkle root function can be effectively preimaged by > changing the input so that one of the intermediate lists is of even > length with the last two elements equal (where originally it was > of odd length with a last element equal to the earlier mentioned two). > As was later noted, this extends to any input length that is > not a power of two: > merkle_hash([a, b, c, d, e, f]) == merkle_hash([a, b, c, d, e, f, e, f]). > Note that to maintain the same root hash, the only flexibility that > exists is duplication of elements. Ported from Electron-Cash@1651463 Co-authored-by: bitcoincashautist <80100588+A60AB5450353F40E@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Due to how the txid-commitment merkle tree used in the block headers is constructed, we need an extra check to be able to validate the position of a txid in a block.
I think this is low severity for us.
See https://bitcointalk.org/?topic=102395 :
Ported from Electron-Cash@1651463