spesmilo / electrum / 6663199702908928

65%

master: 65%

Build Type

Pull #10568

CirrusCI

Committed by SomberNight

Commit Message

verifier.py: fix CVE-2012-2459: reject left-sibling duplicates

Due to how the txid-commitment merkle tree used in the block headers is constructed, we need an extra check to be able to validate the *position* of a txid in a block.

I think this is low severity for us.

See https://bitcointalk.org/?topic=102395 :

> The Merkle hash implementation that Bitcoin uses to calculate the Merkle
> root in a block header is flawed in that one can easily construct multiple
> lists of hashes that map to the same Merkle root.
> For example, merkle_hash([a, b, c]) and merkle_hash([a, b, c, c]) yield
> the same result. This is because, at every iteration, the Merkle hash
> function pads its intermediate list of hashes with the last hash if the
> list is of odd length, in order to make it of even length.
>
> And so, the Merkle root function can be effectively preimaged by
> changing the input so that one of the intermediate lists is of even
> length with the last two elements equal (where originally it was
> of odd length with a last element equal to the earlier mentioned two).
> As was later noted, this extends to any input length that is
> not a power of two:
> merkle_hash([a, b, c, d, e, f]) == merkle_hash([a, b, c, d, e, f, e, f]).
> Note that to maintain the same root hash, the only flexibility that
> exists is duplication of elements.

Ported from https://github.com/Electron-Cash/Electron-Cash/commit/165146362

Co-authored-by: bitcoincashautist <80100588+A60AB5450353F40E@users.noreply.github.com>

Pull Request Pull Request #10568: verifier.py: fix CVE-2012-2459: reject left-sibling duplicates

Coverage Stats

7 of 7 new or added lines in 1 file covered. (100.0%)

2 existing lines in 2 files now uncovered.

24424 of 37667 relevant lines covered (64.84%)

0.65 hits per line