Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Miniupnpc security vunerabilities #264

Open
MitchellCash opened this issue Oct 11, 2015 · 9 comments
Open

Miniupnpc security vunerabilities #264

MitchellCash opened this issue Oct 11, 2015 · 9 comments
Labels
Build system question

Comments

@MitchellCash
Copy link
Contributor

The miniupnpc codebase seems to contain vulnerabilities and Bitcoin seems to be moving towards removing the dependency completely.

Until they can remove the dependency completely their compromise for now is to at least disable it by default, to prevent UPnP vulnerabilities being a structural danger to the network.

Can @IngCr3at1on please comment if we should also be moving towards this and if, yes, should we prioritise this work to mitigate the risk as soon as possible.

Possible work required:

  • Update miniupnpc to 1.9.20151008
  • Disable upnp by default
@MitchellCash MitchellCash changed the title Disable upnp by default Miniupnpc security vunerabilities Oct 11, 2015
@IngCr3at1on
Copy link
Contributor

Yes it is a concern, I spent all of friday trying to update our gitian dependencies but succeeded in breaking the windows builds repeatedly.

@IngCr3at1on
Copy link
Contributor

Took another shot at trying to update the gitian descriptors to use a newer version of miniupnpc but I just get the following no matter what I do:

./build/net.o:net.cpp:(.text+0x7ce8): undefined reference to `__imp__upnpDiscover'
./build/net.o:net.cpp:(.text+0x7d20): undefined reference to `__imp__UPNP_GetValidIGD'
./build/net.o:net.cpp:(.text+0x7d54): undefined reference to `__imp__freeUPNPDevlist'
./build/net.o:net.cpp:(.text+0x7f00): undefined reference to `__imp__UPNP_AddPortMapping'
./build/net.o:net.cpp:(.text+0x800b): undefined reference to `__imp__UPNP_AddPortMapping'
./build/net.o:net.cpp:(.text+0x8022): undefined reference to `__imp__strupnperror'
./build/net.o:net.cpp:(.text+0x8068): undefined reference to `__imp__FreeUPNPUrls'
./build/net.o:net.cpp:(.text+0x8076): undefined reference to `__imp__strupnperror'
./build/net.o:net.cpp:(.text+0x80d3): undefined reference to `__imp__UPNP_GetExternalIPAddress'
./build/net.o:net.cpp:(.text+0x8186): undefined reference to `__imp__UPNP_DeletePortMapping'
./build/net.o:net.cpp:(.text+0x81a5): undefined reference to `__imp__freeUPNPDevlist'
./build/net.o:net.cpp:(.text+0x81b1): undefined reference to `__imp__FreeUPNPUrls'

The linux builds complete without issues, thought since you had windows builds working locally you might have some thoughts on this @MitchellCash

(4 hours)

@IngCr3at1on
Copy link
Contributor

Yeah I'm making it nowhere on this (4.75 hours)

@IngCr3at1on IngCr3at1on mentioned this issue Jan 21, 2016
Open
@MitchellCash
Copy link
Contributor Author

This is without any testing but can you try adding DMINIUPNP_STATICLIB to your DEFINES?

@IngCr3at1on
Copy link
Contributor

@MitchellCash doesn't look like that works either :( (2 hours)

@MitchellCash
Copy link
Contributor Author

Damn! So you made sure to define -DMINIUPNP_STATICLIB instead of -DSTATICLIB?

I was certain that would solve it lol

@IngCr3at1on
Copy link
Contributor

I added the define to the gitian descriptor during the build.

@0xcircuitbreaker
Copy link

was any fix found @IngCr3at1on ?

@IngCr3at1on
Copy link
Contributor

Nope, any resolved issues were closed ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Build system question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@IngCr3at1on @MitchellCash @0xcircuitbreaker