this post was submitted on 11 Oct 2023
5 points (85.7% liked)

Monero Mining

248 readers
1 users here now

founded 1 year ago
MODERATORS
 

The bug fixed in cURL 8.4.0 (CVE-2023-38545) is a nasty one, but it seems rather harmless in our context.

First of all, if you don’t use socks5, this issue should be irrelevant. (But do your own research. Source code is there for you to freely study, modify, compile.)

According to the blog, the bug could be exploited only if a socks5 proxy user is tricked to resolve a crazy long hostname (~1024 characters+), which sounds unlikely; except if your direct peer is evil, they might be able to send you a crazy long hostname instead of a numeric IP… maybe? However, if you’re on socks5 proxy, the attacker can’t see your real IP to begin with, so they can’t attack you (I think).

The only attack vector my stupid head can think of is: if for some reason you use both clear connections and socks5 connections, then a lucky attacker who notices your behavior can hit your real IP when you’re on Tor, using your wallet address as an identifier. (Tor exit nodes are public, so they know someone is on Tor.) Even then, maybe the worst thing that could happen is that your p2pool crashes due to buffer overrun.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago

It’s an old bug in cURL, not specific in p2pool v3.7. Every version is affected.

I think it’s harmless in reality. We can safely keep using the current version, especially if you don’t use Socks5. It’ll be fixed in the next release (3.7.1? 3.8?), though.