26 Apr 2022 [security]

kayabaNerve discovers security vulnerability in monero-python module, j-berman helps emesik release v1.0.2 patch

kayabaNerve1 has discovered a security vulnerability in the monero-python2 module and j-berman3 helped emesik4, the project maintainer, to quickly push out the v1.0.25 release that patches it:

If anyone is using my monero Python module for output recognition, please upgrade immediately to version 1.0.2. (emesik)6

According to emesik, a malicious user could prepare a forged transaction and push an arbitrary payment amount and the vulnerable code in earlier versions (<1.0.2) would blindly trust this operation.

Even though users that don’t use the module for transaction scanning and to identify outputs using the view key are not affected, they should still upgrade to the newest version.

To learn more about the module, consult the project documentation7.

To support the development of the monero-python open source library, you can donate some XMR to the address listed in the README8.

Credits: thanks to plowsof9 for submitting this news tip.

  1. https://github.com/kayabaNerve 

  2. https://github.com/monero-ecosystem/monero-python 

  3. https://github.com/j-berman 

  4. https://github.com/emesik 

  5. https://github.com/monero-ecosystem/monero-python/releases/tag/v1.0.2 

  6. https://libredd.it/ucmj2k/ 

  7. https://monero-python.readthedocs.io/en/latest/ 

  8. https://github.com/monero-ecosystem/monero-python#want-to-help 

  9. https://github.com/plowsof