Monero Mining

226 readers

1 users here now

founded 1 year ago

MODERATORS

[email protected]

P2Pool v3.7 & the recently fixed cURL bug (monero.town)

submitted 1 year ago by [email protected] to c/[email protected]

2 comments fedilink hide all child comments

The bug fixed in cURL 8.4.0 (CVE-2023-38545) is a nasty one, but it seems rather harmless in our context.

First of all, if you don’t use socks5, this issue should be irrelevant. (But do your own research. Source code is there for you to freely study, modify, compile.)

According to the blog, the bug could be exploited only if a socks5 proxy user is tricked to resolve a crazy long hostname (~1024 characters+), which sounds unlikely; except if your direct peer is evil, they might be able to send you a crazy long hostname instead of a numeric IP… maybe? However, if you’re on socks5 proxy, the attacker can’t see your real IP to begin with, so they can’t attack you (I think).

The only attack vector my stupid head can think of is: if for some reason you use both clear connections and socks5 connections, then a lucky attacker who notices your behavior can hit your real IP when you’re on Tor, using your wallet address as an identifier. (Tor exit nodes are public, so they know someone is on Tor.) Even then, maybe the worst thing that could happen is that your p2pool crashes due to buffer overrun.

top 2 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 1 year ago (1 children)

I have been on 3.7 for like a week or so now and all is running well. The picks are breaking blocks and taking names. Lol

[–] [email protected] 1 points 1 year ago

It’s an old bug in cURL, not specific in p2pool v3.7. Every version is affected.

I think it’s harmless in reality. We can safely keep using the current version, especially if you don’t use Socks5. It’ll be fixed in the next release (3.7.1? 3.8?), though.