backport: bitcoin#26257, #26480, #26600, #26601, #26660, #26689, #26802 #7089

UdjinM6 · 2026-01-09T12:34:51Z

nit: typo //

coderabbitai · 2026-01-05T11:19:18Z

CVE-2024-31636

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's check the current state of the file head -50 ci/lint/04_install.sh | tail -15

Repository: dashpay/dash

Length of output: 673

🌐 Web query:

flake8 5.0.4 security vulnerabilities CVE

💡 Result:

I found no public CVE entries for flake8 5.0.4. Flake8's own release notes for 5.0.4 list only a bugfix (importlib‑metadata bound) and no security advisory, and major vulnerability trackers (Snyk, Safety DB) show no direct CVE for that version. [1][2][3]

If you want, I can run a targeted CVE/NVD search (or check GitHub/security advisories) and return exact CVE database results.

🌐 Web query:

lief 0.13.2 security vulnerabilities CVE

💡 Result:

Yes — LIEF 0.13.2 is affected by CVE-2024-31636 (information disclosure via an uninitialized variable in machd_reader.c; affects versions < 0.15.0). Upgrade to >= 0.15.0 to obtain the fix. [1][2]

Sources:
[1] NVD entry for CVE-2024-31636.
[2] SafetyDB package page for lief (shows affected versions <0.15.0).

Upgrade lief to ≥0.15.0 to fix CVE-2024-31636.

lief 0.13.2 is vulnerable to CVE-2024-31636 (information disclosure via uninitialized variable in machd_reader.c). This affects all versions < 0.15.0. flake8 5.0.4 is secure with no known vulnerabilities.

🤖 Prompt for AI Agents

In @ci/lint/04_install.sh around lines 38-39, Replace the vulnerable pinned lief==0.13.2 install with a safe version >=0.15.0: update the line that uses ${CI_RETRY_EXE} pip3 install lief==0.13.2 to use ${CI_RETRY_EXE} pip3 install "lief>=0.15.0" (or pin to a specific secure release >=0.15.0) so the CI installation command referenced by CI_RETRY_EXE installs a non-vulnerable lief.

-Original file line number
+Diff line change
@@ Expand Up / @@ -33,9 +33,10 @@ if [ -z "${SKIP_PYTHON_INSTALL}" ]; then @@
         python3 --version
     fi
+    # NOTE: BUMP ALSO contrib/containers/ci//ci-slim.Dockerfile
     ${CI_RETRY_EXE} pip3 install codespell==2.2.1
-    ${CI_RETRY_EXE} pip3 install flake8==4.0.1
-    ${CI_RETRY_EXE} pip3 install lief==0.13.1
+    ${CI_RETRY_EXE} pip3 install flake8==5.0.4
+    ${CI_RETRY_EXE} pip3 install lief==0.13.2
     ${CI_RETRY_EXE} pip3 install mypy==0.981
     ${CI_RETRY_EXE} pip3 install pyzmq==24.0.1
     ${CI_RETRY_EXE} pip3 install vulture==2.6
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -75,9 +75,10 @@ RUN set -ex; \ @@
     ENV UV_SYSTEM_PYTHON=1
     # Install Python packages
+    # NOTE: if versions are changed, update ci/lint/04_install.sh
     RUN uv pip install --system --break-system-packages \
-        codespell==2.1.0 \
-        flake8==4.0.1 \
+        codespell==2.2.1 \
+        flake8==5.0.4 \
         jinja2 \
         lief==0.13.2 \
         multiprocess \
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -78,7 +78,7 @@ def get_block_hashes(settings, max_blocks_per_call=10000): @@
                 if rpc.response_is_error(resp_obj):
                     print('JSON-RPC: error at height', height+x, ': ', resp_obj['error'], file=sys.stderr)
                     sys.exit(1)
-                assert(resp_obj['id'] == x) # assume replies are in-sequence
+                assert resp_obj['id'] == x  # assume replies are in-sequence
                 if settings['rev_hash_bytes'] == 'true':
                     resp_obj['result'] = bytes.fromhex(resp_obj['result'])[::-1].hex()
                 print(resp_obj['result'])
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -63,13 +63,13 @@ def name_to_bip155(addr): @@
                     if i == 0 or i == (len(addr)-1): # skip empty component at beginning or end
                         continue
                     x += 1 # :: skips to suffix
-                    assert(x < 2)
+                    assert x < 2
                 else: # two bytes per component
                     val = int(comp, 16)
                     sub[x].append(val >> 8)
                     sub[x].append(val & 0xff)
             nullbytes = 16 - len(sub[0]) - len(sub[1])
-            assert((x == 0 and nullbytes == 0) or (x == 1 and nullbytes > 0))
+            assert (x == 0 and nullbytes == 0) or (x == 1 and nullbytes > 0)
             addr_bytes = bytes(sub[0] + ([0] * nullbytes) + sub[1])
             if addr_bytes[0] == 0xfc:
                 # Assume that seeds with fc00::/8 addresses belong to CJDNS,
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -79,6 +79,9 @@ class ExampleTest(BitcoinTestFramework): @@
         # Override the set_test_params(), skip_test_if_missing_module(), add_options(), setup_chain(), setup_network()
         # and setup_nodes() methods to customize the test setup as required.
+        def add_options(self, parser):
+            self.add_wallet_options(parser)
         def set_test_params(self):
             """Override test parameters for your individual test.
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

backport: bitcoin#26257, #26480, #26600, #26601, #26660, #26689, #26802 #7089

Uh oh!

Diff view

Diff view

There are no files selected for viewing

UdjinM6 Jan 9, 2026

Uh oh!

coderabbitai bot Jan 5, 2026

Uh oh!

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ Expand Up / @@ -236,7 +236,7 @@ def _test_coin_stats_index(self): @@
             self.generate(index_node, 1, sync_fun=self.no_op)
             res10 = index_node.gettxoutsetinfo('muhash')
-            assert(res8['txouts'] < res10['txouts'])
+            assert res8['txouts'] < res10['txouts']
             self.log.info("Test that the index works with -reindex")
@@ Expand Down Expand Up / @@ -286,12 +286,12 @@ def _test_reorg_index(self): @@
             res2 = index_node.gettxoutsetinfo(hash_type='muhash', hash_or_height=112)
             assert_equal(res["bestblock"], block)
             assert_equal(res["muhash"], res2["muhash"])
-            assert(res["muhash"] != res_invalid["muhash"])
+            assert res["muhash"] != res_invalid["muhash"]
             # Test that requesting reorged out block by hash is still returning correct results
             res_invalid2 = index_node.gettxoutsetinfo(hash_type='muhash', hash_or_height=reorg_block)
             assert_equal(res_invalid2["muhash"], res_invalid["muhash"])
-            assert(res["muhash"] != res_invalid2["muhash"])
+            assert res["muhash"] != res_invalid2["muhash"]
             # Add another block, so we don't depend on reconsiderblock remembering which
             # blocks were touched by invalidateblock
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -67,7 +67,7 @@ def run_test(self): @@
             for node in filter_nodes:
                 assert_greater_than(len(node.getblockfilter(tip)['filter']), 0)
             for node in stats_nodes:
-                assert(node.gettxoutsetinfo(hash_type="muhash", hash_or_height=tip)['muhash'])
+                assert node.gettxoutsetinfo(hash_type="muhash", hash_or_height=tip)['muhash']
             self.mine_batches(500)
             self.sync_index(height=700)
@@ Expand All / @@ -85,14 +85,14 @@ def run_test(self): @@
             for node in filter_nodes:
                 assert_greater_than(len(node.getblockfilter(tip)['filter']), 0)
             for node in stats_nodes:
-                assert(node.gettxoutsetinfo(hash_type="muhash", hash_or_height=tip)['muhash'])
+                assert node.gettxoutsetinfo(hash_type="muhash", hash_or_height=tip)['muhash']
             self.log.info("check if we can access the blockfilter and coinstats of a pruned block")
             height_hash = self.nodes[0].getblockhash(2)
             for node in filter_nodes:
                 assert_greater_than(len(node.getblockfilter(height_hash)['filter']), 0)
             for node in stats_nodes:
-                assert(node.gettxoutsetinfo(hash_type="muhash", hash_or_height=height_hash)['muhash'])
+                assert node.gettxoutsetinfo(hash_type="muhash", hash_or_height=height_hash)['muhash']
             # mine and sync index up to a height that will later be the pruneheight
             self.generate(self.nodes[0], 51)
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -32,12 +32,14 @@ @@
     q_type=100
     class LLMQSigningTest(DashTestFramework):
+        def add_options(self, parser):
+            self.add_wallet_options(parser)
         def set_test_params(self):
             self.set_dash_test_params(1, 0, [["-llmqtestinstantsenddip0024=llmq_test_instantsend", "-peertimeout=300000000"]],
                     evo_count=2)
             self.set_dash_llmq_test_params(1, 1)
         def mine_single_node_quorum(self):
             node = self.nodes[0]
             quorums = node.quorum('list')['llmq_test']
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -18,6 +18,9 @@ @@
     class MasternodeParamsTest(BitcoinTestFramework):
+        def add_options(self, parser):
+            self.add_wallet_options(parser)
         def set_test_params(self):
             self.setup_clean_chain = True
             self.num_nodes = 2
@@ Expand Down Expand Up / @@ -77,12 +80,13 @@ def run_test(self): @@
             self.stop_node(1)
             # Check debug log for parameter interaction messages during startup
-            with self.nodes[1].assert_debug_log(["parameter interaction: -masternodeblsprivkey set -> setting -disablewallet=1"]):
-                self.start_node(1, extra_args=[
-                    f"-masternodeblsprivkey={bls_key}",
-                    "-peerblockfilters=0",
-                    "-blockfilterindex=0"
-                ])
+            if self.is_wallet_compiled():
+                with self.nodes[1].assert_debug_log(["parameter interaction: -masternodeblsprivkey set -> setting -disablewallet=1"]):
+                    self.start_node(1, extra_args=[
+                        f"-masternodeblsprivkey={bls_key}",
+                        "-peerblockfilters=0",
+                        "-blockfilterindex=0"
+                    ])
             # Note: The peerblockfilters and blockfilterindex messages won't be in the log
             # when explicitly disabled, only when auto-enabled
@@ Expand Down @@

backport: bitcoin#26257, #26480, #26600, #26601, #26660, #26689, #26802 #7089

Are you sure you want to change the base?

Uh oh!

backport: bitcoin#26257, #26480, #26600, #26601, #26660, #26689, #26802 #7089

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

UdjinM6 Jan 9, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 5, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!