mailing list archives
pending Bitcoin/Android CVE assignments
From: cve-assign () mitre org
Date: Mon, 12 Aug 2013 12:41:59 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
MITRE is currently working on third-party CVE requests related to a
recent Bitcoin/Android issue that might (or might not) be related to
other open-source products such as Bouncy Castle products. We'll send
another message here after we have CVE assignments or another outcome.
Our preference is to assign the CVE IDs after there seems to be
agreement among security researchers about how many different
vulnerabilities contribute to the problem. Ultimately, the observed
problem seems to be:
Several people have reported their BTC stolen ... It has been
noticed that the coins are all transferred in a few hours after a
client improperly signs a transaction by reusing the same random
Here is an example reference that suggests more than one
Other information we are currently considering includes:
suggest that they are a communication from the "Android Developer
Relations team" stating "This was fixed in Android 4.2 when we
switched from BouncyCastle to OpenSSL as the underlying crypto
provider. I don't know why you'd still be seeing this on Android 4.2."
refer to "The same k will lead to the same x1 coordinate, which will
lead to the same r."
describe multiple issues in four different products.
And, finally, https://news.ycombinator.com/item?id=6195787 says "They
[ https://bitcointalk.org/index.php?topic=271831.0 ] claim the problem
lies with 'a component of Android'. One of them told me that the
solution was to switch from using SecureRandom to reading /dev/urandom
directly. The actual source changes appear not to be public, and he
wouldn't tell me details about the issue."
CVE assignment team, MITRE CVE Numbering Authority
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
-----END PGP SIGNATURE-----
- pending Bitcoin/Android CVE assignments cve-assign (Aug 12)