[c-lightning] Recent bech32 overflow bug (upgrade to 0.6.2 recommended)

Rusty Russell rusty at rustcorp.com.au
Wed Oct 31 11:46:53 AEDT 2018

Hi all,

        On 11th October I received a (gpg-encrypted) mail from Christain
Reitter (coordinating with Satoshi Labs) disclosing that there was a bug
in the bech32 example code, which we use in c-lightning.  A malformed
invoice can crash a lightning node; I can't rule out that it could be
used to cause worse misbehaviour.

        With their agreement, I quietly worked around the worst problem
(handling malformed invoices) in an unrelated commit before the 0.6.2
release; it's still possible to crash c-lightning with an invalid
'fallback' option via the RPC command, but that's not something
generally used by untrusted parties.

        I'll be applying the complete fix now that it's public.

PS.  More details: https://blog.trezor.io/details-about-the-security-updates-in-trezor-one-firmware-1-7-1-5c34278425d8#cacb

More information about the c-lightning mailing list