Ethereum Blog

Security Alert – [Previous security patch can lead to invalid state root on Go clients with a specific transaction sequence – Fixed. Please update.]

Introduction

user

Jutta Steiner


LATEST POSTS

Security Alert – [Implementation bug in Go clients causing increase in difficulty – Fixed – Miners check and update Go clients] 03rd September, 2015

Security Advisory [Implementation bugs in Go and Python clients can cause DoS – Fixed – Please update clients] 02nd September, 2015

Security

Security Alert – [Previous security patch can lead to invalid state root on Go clients with a specific transaction sequence – Fixed. Please update.]

Posted on .

 

Summary: Implementation bug in the go client may lead to invalid state

Affected client versions: Latest (unpatched) versions of Go client; v1.1.2, v1.0.4 tags and develop, master branches before September 9.

Likelihood: Low

Severity: High

Impact: High

Details: Go ethereum client does not correctly restore state of execution environment when a transaction goes out-of-gas if – within the same block – a contract was suicided. This would result in an invalid copy operation of the state object; flagging the contract as not deleted. This operation would cause a consensus issue between the other implementations.

 

Effects on expected chain reorganisation depth: none

Remedial action taken by Ethereum: Provision of hotfixes as below.

Proposed temporary workaround: Use Python or C++ client

 

If using the PPA: sudo apt-get update then sudo apt-get upgrade

If using brew: brew update then brew reinstall ethereum

If using a windows binary: download the updated binary from https://github.com/ethereum/go-ethereum/releases/tag/v1.1.3

 

Master branch commit: https://github.com/ethereum/go-ethereum/commit/9ebe787d3afe35902a639bf7c1fd68d1e591622a

 

If you’re building from source: git fetch origin && git checkout origin/master followed by a make geth

profile

Jutta Steiner

Comments
user

Author Thành Minh

Posted at 3:42 pm September 10, 2015.

Official patch will be released at time?

Reply
    user

    Author Christoph Jentzsch

    Posted at 12:09 pm September 11, 2015.

    Its already released, see instructions in blog post.

    Reply
user

Author gcolbourn

Posted at 11:55 am September 11, 2015.

How do we update if we installed using “bash <(curl https://install-geth.ethereum.org -L)” (from https://ethereum.org/cli)?

Reply

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

View Comments (3) ...
Navigation