1 2014-09-25 00:00:33 <sipa> it means "i agree with merging this"
  2 2014-09-25 00:04:22 <phantomcircuit> sipa, so many people freaking about about bash environment execution
  3 2014-09-25 00:04:34 <phantomcircuit> who do these people have unsanitized environment variables to begin with???
  4 2014-09-25 00:10:26 <stapler117> 
ACTION wipes down bash with bleach

  5 2014-09-25 02:17:25 <mikeee> anyone know where i can manually push testnet transactions
  6 2014-09-25 02:24:14 <mikeee> anyone know where i can manually push testnet transactions
  7 2014-09-25 02:24:41 <LoRez> no need to repeat yourself.
  8 2014-09-25 02:25:19 <mikeee> sorry i saw someone joined. Desperate to finish a project over here
  9 2014-09-25 09:00:31 <goykasi> when i receive an 'inv' message from a peer, how can i tell the difference between the peer sending transaction(s) or announcing a new block?
 10 2014-09-25 09:07:00 <wumpus> the inv structure contains the type
 11 2014-09-25 09:09:52 <goykasi> MSG_TX vs MSG_BLOCK? i seem to see MSG_BLOCK come across frequently
 12 2014-09-25 09:10:07 <wumpus> yes
 13 2014-09-25 09:10:23 <goykasi> or not corresponding to when blockchain.info says a new block has been announced
 14 2014-09-25 09:10:59 <wumpus> inv just announces a certain inventory item, it doesn't need to be a new block
 15 2014-09-25 09:11:23 <wumpus> clients that already have the item in question will just ignore the announcement
 16 2014-09-25 09:11:55 <goykasi> i see. i guess i assumed i could determine when a block was mined via inv messages
 17 2014-09-25 09:11:59 <goykasi> is there another method?
 18 2014-09-25 09:14:35 <wumpus> you'd need to implement what the client does, keep track of the hashes of blocks that you already know (such as those in the chain), then only request blocks that you haven't seen before
 19 2014-09-25 09:15:45 <wumpus> s/request/report
 20 2014-09-25 09:17:07 <wumpus> although that still doesn't give you any idea about the validity of the blocks, to do this securely the easiest way would be to run a bitcoind and watch its chain height
 21 2014-09-25 09:17:37 <goykasi> yah im considering just doing that
 22 2014-09-25 09:18:06 <goykasi> seems a bit easier to just query bitcoind occasionally
 23 2014-09-25 09:18:41 <goykasi> thx
 24 2014-09-25 09:21:08 <wumpus> you could do this with bitcoinj as well; as you just want to report mined blocks, you don't actually need to verify the blocks, just to verify the difficulty (which can be done with only the block headers)
 25 2014-09-25 09:43:29 <firelegend> A new exploit seems to be around.
 26 2014-09-25 09:43:44 <firelegend> One concerning bash and how it allows an attacker to execute remote commands.
 27 2014-09-25 09:43:48 <firelegend> or code
 28 2014-09-25 09:44:26 <gdm85> firelegend: I don't think bitcoin core is affected in any ways. although I'd keep an eye on the servers :)
 29 2014-09-25 09:44:43 <gdm85> I am mostly concerned about embedded devices using CGI and/or DHCP
 30 2014-09-25 09:44:58 <firelegend> well, the problem is probably every server related to bitcoin out there is on a unix/unix-like machine
 31 2014-09-25 09:45:15 <firelegend> and while I have no idea the affected bash versions, it would allow an attacker to grab a database trivially
 32 2014-09-25 09:45:29 <timothy> gdm85: embedded devices uses busybox ash!
 33 2014-09-25 09:45:44 <gdm85> firelegend: only if non-sanitized user input is used in bash environment variables
 34 2014-09-25 09:46:03 <firelegend> gdm85:The exploit seems to work like this too https://gist.github.com/anonymous/929d622f3b36b00c0be1
 35 2014-09-25 09:46:07 <gdm85> timothy: sure, those are unaffected
 36 2014-09-25 09:46:35 <timothy> http servers with bash and cgi are very rare in 2014
 37 2014-09-25 09:46:54 <timothy> DHCP is more common, but it's only a local problem (DHCP server does not listen on internet)
 38 2014-09-25 09:47:03 <gdm85> yeah, I would not rate this heartbleed-grade as somebody did
 39 2014-09-25 09:47:31 <timothy> I already wrote a blog (in italian) post with this observation
 40 2014-09-25 09:47:44 <timothy> that it's not so easly exploitable :)
 41 2014-09-25 09:50:43 <wumpus> it's one of those typical vulnerabilities that are hard to exploit on their own, but could be used as part of a chain of compromise
 42 2014-09-25 09:50:58 <gdm85> yeah, we will probably see creative use of it
 43 2014-09-25 09:52:18 <wumpus> to me it sounds more worrying that DHCP clients/servers put unsanitised data into the environment and launch commands through bash
 44 2014-09-25 09:52:28 <gdm85> yeah, I didn't know that either
 45 2014-09-25 09:52:40 <timothy> I think debian/ubuntu uses !/bin/sh so dash
 46 2014-09-25 09:53:10 <wumpus> timothy: indeed, dash is the default shell in recent ubuntu
 47 2014-09-25 09:54:08 <wumpus> so unless someone puts an explicit #!/bin/bash ...
 48 2014-09-25 09:54:37 <gdm85> my view on this CVE is: if bash is an attack surface on your systems, you have bigger problems.
 49 2014-09-25 09:54:46 <timothy> #!/bin/sh
 50 2014-09-25 09:54:46 <timothy> t.redaelli@quelo:~$ cat /etc/dhcp/dhclient-enter-hooks.d/samba
 51 2014-09-25 09:54:53 <timothy> dhclient does not use /bin/bash
 52 2014-09-25 09:55:57 <wumpus> phew
 53 2014-09-25 10:12:19 <gdm85> timothy: winbind's template shell is bash, but not much meat there either..
 54 2014-09-25 11:21:51 <Happzz> i think it's better practice to DO broadcast double spends instead of dropping them
 55 2014-09-25 11:22:38 <Happzz> if the client gets a double spend and know about it, it would raise a red flag before one of the txs is confirmed, instead of only after.
 56 2014-09-25 11:27:40 <aschildbach> Happzz: I think that's planned.
 57 2014-09-25 14:20:50 <Johnny_> anybody know how to broadcast transactions to the testnet?
 58 2014-09-25 14:21:52 <gfawkes> set the config to use the testnet and then make a transaction
 59 2014-09-25 14:25:02 <dhill> Johnny_: you could try http://test.webbtc.com/relay_tx
 60 2014-09-25 14:32:09 <mr_burdell> also here: http://tbtc.blockr.io/tx/push
 61 2014-09-25 14:36:51 <Johnny_> thank you so much kind fellows
 62 2014-09-25 14:55:04 <dgenr8> aschildbach: it's done and well tested
 63 2014-09-25 15:55:17 <Johnny_> can anyone tell me how to convert private keys between compressed and uncompressed using javascript
 64 2014-09-25 15:57:04 <timothy> Johnny_: https://brainwallet.github.io/ ?
 65 2014-09-25 15:57:35 <Johnny_> i need something perform that operation within a program
 66 2014-09-25 15:57:55 <Johnny_> so I need code
 67 2014-09-25 15:58:05 <timothy> https://github.com/brainwallet/brainwallet.github.io/tree/master/js
 68 2014-09-25 15:58:14 <timothy> brainwallet is in public domain
 69 2014-09-25 16:27:03 <Johnny_> can someone help me understand why my transaction is not going through? --->http://pastebin.com/6fE0Y3Ag
 70 2014-09-25 16:38:51 <Happzz> bitcoin-qt doesn't save "lock" status of inputs betwen restarts
 71 2014-09-25 16:38:54 <Happzz> between even
 72 2014-09-25 16:42:28 <gmaxwell> Correct.
 73 2014-09-25 16:42:29 <gmaxwell> "Locks are stored in memory only. Nodes start with zero locked outputs, and the locked output list
 74 2014-09-25 16:42:32 <gmaxwell> is always cleared (by virtue of process exit) when a node stops or fails.
 75 2014-09-25 16:42:35 <gmaxwell> "
 76 2014-09-25 16:42:36 <gmaxwell> as the fine manual says.
 77 2014-09-25 17:51:45 <kuzetsa> http://i.imgur.com/UqFPkSU.png <--- anyone want gentoo's version of the patch to fix  CVE-2014-7169 (AKA gentoo bug #523592) ... I heard that a lot of distros patched CVE-2014-6271 (shellshock) but then didn't get CVE-2014-7169 as well
 78 2014-09-25 17:53:08 <kuzetsa> I know it's off topic, but I figure it might be good to help get a critical fix for something like this to the bitcoin devs ASAP
 79 2014-09-25 17:55:52 <kuzetsa> https://523592.bugs.gentoo.org/attachment.cgi?id=385426 <-- the patch itself (the one referenced in the screenshot)
 80 2014-09-25 18:09:17 <dgenr8> i hope gentoo.org has patched their cgi system
 81 2014-09-25 18:17:34 <midnightmagic> am I just missing something? since when do cgi program allow arb inputs that survive to a bash interp?
 82 2014-09-25 18:28:15 <gwillen> midnightmagic: since the CGI protocol is based on stuffing arbitrary user input into environment variables
 83 2014-09-25 18:28:34 <gwillen> midnightmagic: and since bash is often either used as a CGI wrapper, or called out from CGI scripts when using 'system' to run commands
 84 2014-09-25 18:40:30 <kuzetsa> it's not just things like cgi on webservers
 85 2014-09-25 18:42:24 <kuzetsa> openssh is vulnerable too
 86 2014-09-25 18:42:54 <tommygunner> https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
 87 2014-09-25 18:45:06 <kuzetsa> tommygunner: yeah, that's another good example
 88 2014-09-25 18:46:38 <kuzetsa> here's a nasty example of how they found out they could execute arbitrary stuff on gitlab servers:
 89 2014-09-25 18:46:39 <kuzetsa> https://about.gitlab.com/2014/09/24/gitlab-shell-and-bash-cve-2014-6271/
 90 2014-09-25 18:47:10 <midnightmagic> gwillen: People still use cgi-bin..?!
 91 2014-09-25 18:48:18 <gwillen> the dhcp one is pretty good
 92 2014-09-25 19:03:28 <SandDuneJim> Hi all, my local copy of my blockchain got corrupted. Does anyone know of a bitcoind process that is synced? I'm looking for an ip address.
 93 2014-09-25 19:06:23 <helo> SandDuneJim: you should ask in #bitcoin but try onslow.chrishowie.com
 94 2014-09-25 20:05:04 <maraoz> Hey, I've been watching bitcoind logs while syncing the livenet blockchain for days and I see too many "orphan block" messages
 95 2014-09-25 20:05:14 <maraoz> example: http://pastebin.com/NZhwsQQN
 96 2014-09-25 20:10:24 <maraoz> $ grep -wo "ORPHAN" debug.log | sort | uniq -c
 97 2014-09-25 20:10:26 <maraoz> 21848 ORPHAN
 98 2014-09-25 20:12:08 <maraoz> is this normal? can it be a soft-DOS by someone wanting to make blockchain sync slow?
 99 2014-09-25 20:16:52 <mrebola> Hi Guys !
100 2014-09-25 20:17:03 <mrebola> I'm Mr.Ebola one crazy bitcoin guy
101 2014-09-25 20:17:11 <mrebola> and I have some questions about the abe project
102 2014-09-25 20:17:23 <mrebola> Does anybody know what is the mysql query to see the current balance of a bitcoin address if I used abe to convert the blockchain into mysql db?
103 2014-09-25 21:27:36 <dgenr8> mrebola: definitely a question for Luke-Jr
104 2014-09-25 21:50:12 <mrebola> Thanks @dgenr8
105 2014-09-25 21:50:34 <mrebola> Hey @Luke-Jr do you know what is the mysql query to see the current balance of a bitcoin address if I used abe to convert the blockchain into mysql db?
106 2014-09-25 22:13:01 <Luke-Jr> dgenr8: -.-
107 2014-09-25 22:13:22 <Luke-Jr> mrebola: there is no such thing as a balance of a bitcoin address, despite whatever insanity ABE has that I have never used
108 2014-09-25 22:13:36 <lechuga_> Luke-Jr needs a t-shirt that says this
109 2014-09-25 22:13:44 <lechuga_> the first part anyway
110 2014-09-25 22:33:12 <SOLIDPIZZA> Hello, I have a patch for bitcoin-qt. What should I do before submitting it on github?
111 2014-09-25 22:35:29 <phantomcircuit> SOLIDPIZZA, you should submit it on github
112 2014-09-25 22:37:23 <SOLIDPIZZA> okay. just wanted to be sure. thanks
113 2014-09-25 22:37:36 <SOLIDPIZZA> I will send you the link to my pull request if you like
114 2014-09-25 22:47:06 <mrebola> thanks @<Luke-Jr>
115 2014-09-25 22:47:12 <mrebola> thanks @Luke-Jr
116 2014-09-25 22:47:56 <SOLIDPIZZA> looks like it is not pasting the automatic test "travis ci"
117 2014-09-25 22:48:16 <SOLIDPIZZA> passing*
118 2014-09-25 22:48:40 <SOLIDPIZZA> should I just delete it then? or does someone else have to in the project?
119 2014-09-25 22:51:46 <SOLIDPIZZA> I forgot a parenthesis
120 2014-09-25 23:01:36 <skinnkavaj> of a...?
121 2014-09-25 23:38:45 <mrebola> I have to go brothers , see you soon.