[vulndb] x/vulndb: add reports/GO-2022-0422.yaml for GHSA-g3vv-g2j5-45f2
4 views
Skip to first unread message
Damien Neil (Gerrit)
Jun 28, 2022, 12:51:24 PM6/28/22
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Damien Neil has uploaded this change for review.
x/vulndb: add reports/GO-2022-0422.yaml for GHSA-g3vv-g2j5-45f2
Fixes golang/vulndb#0422
Change-Id: Ie17915f4b8c3146980febc392932bb16a0567e84
---
A reports/GO-2022-0422.yaml
A reports/GO-2022-0423.yaml
2 files changed, 88 insertions(+), 0 deletions(-)
diff --git a/reports/GO-2022-0422.yaml b/reports/GO-2022-0422.yaml
new file mode 100644
index 0000000..66beefd
--- /dev/null
+++ b/reports/GO-2022-0422.yaml
@@ -0,0 +1,16 @@
+packages:
+ - module: github.com/ipld/go-codec-dagpb
+ symbols:
+ - DecodeBytes
+ derived_symbols:
+ - Decode
+ - Decoder
+ - Unmarshal
+ versions:
+ - fixed: 1.3.1
+ vulnerable_at: 1.3.0
+description: The dag-pb codec can panic when decoding invalid blocks.
+ghsas:
+ - GHSA-g3vv-g2j5-45f2
+links:
+ commit: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57
diff --git a/reports/GO-2022-0423.yaml b/reports/GO-2022-0423.yaml
new file mode 100644
index 0000000..df6aaac
--- /dev/null
+++ b/reports/GO-2022-0423.yaml
@@ -0,0 +1,61 @@
+packages:
+ - module: github.com/ipld/go-ipfs
+ package: github.com/ipld/go-ipfs
+ symbols:
+ - 'TODO: fill this out'
+ versions:
+ - fixed: 0.11.1
+ vulnerable_at: 'TODO: fill this out'
+ - module: 'TODO: fill this out'
+ package: github.com/ipld/go-ipfs
+ symbols:
+ - 'TODO: fill this out'
+ versions:
+ - introduced: 0.12.0
+ fixed: 0.12.2
+ vulnerable_at: 'TODO: fill this out'
+description: "### Impact\ngo-ipfs nodes with versions 0.10.0, 0.11.0, 0.12.0, or 0.12.1
+ can crash when trying to traverse certain malformed graphs due to an issue in
+ the go-codec-dagpb dependency. Vulnerable nodes that work with these malformed
+ graphs may crash leading to denial-of-service risks.\n\nThis particularly impacts
+ nodes that download or export data that is controlled by external user input as
+ there is the possibility that a malicious user of those services could (intentionally
+ or unintentionally) cause the node to traverse a malformed graph. Some notable
+ use cases include public gateways and pinning services which fetch data on behalf
+ of users, as well as applications such as IPFS Companion which load data based
+ on a user visiting a website with links to IPFS URLs.\n\n### Patches\nVersions
+ v0.11.1 and v0.12.2 both resolve this issue. This should make it easy to upgrade,
+ even if you have not yet performed the v0.12.0 migration.\n\nFor those running
+ on forked versions of go-ipfs or who are on v0.10.0 and are having trouble with
+ the v0.11.0 breaking changes, simply updating the version of `go-codec-dagpb`
+ you are using to >=v1.3.2 should resolve the issue.\n\nAny users of libraries
+ within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself,
+ may be affected and should upgrade their dependency on go-codec-dagpb. You can
+ check if your Go module has a dependency on `go-codec-dagpb` by running a command
+ such as `go mod graph | grep go-codec-dagpb` in your module root.\n\n### Workarounds\nThe
+ best way to workaround this issue is to control exposure to any endpoints that
+ allow for arbitrary IPLD traversals. This primarily includes the HTTP RPC API
+ (https://docs.ipfs.io/reference/http/api ) and the Gateway API. If you are exposing
+ those APIs, then do so within an environment where only trusted users and applications
+ you control have access to it. You should be safe as long as your users and applications
+ do not create malformed graphs, which should not happen using standard `go-ipfs`
+ tooling.\n\nIf you previously had a more open access environment, then closing
+ off access will only be sufficient if both of the following are true:\n* The experimental
+ GraphSync feature is disabled (https://github.com/ipfs/go-ipfs/blob/master/docs/experimental-features.md#graphsync)
+ \n* The only data being accessed is non-malformed data\n\n### References\nSee
+ also the [go-codec-dagpb security advisory](https://github.com/ipld/go-codec-dagpb/security/advisories/GHSA-g3vv-g2j5-45f2).\n\n###
+ For more information\nIf you have any questions or comments about this advisory:\n\n*
+ Ask in [IPFS Discord #ipfs-chatter](https://discord.gg/ipfs)\n* Open an issue
+ in [go-ipfs](https://github.com/ipld/go-ipfs)"
+published: 2022-04-08T22:09:23Z
+last_modified: 2022-04-12T21:40:52Z
+cves:
+ - 'TODO: fill this out'
+ghsas:
+ - GHSA-mcq2-w56r-5w2w
+credit: 'TODO: fill this out'
+links:
+ pr: 'TODO: fill this out'
+ commit: 'TODO: fill this out'
+ context:
+ - https://github.com/advisories/GHSA-mcq2-w56r-5w2w
To view, visit change 414814. To unsubscribe, or for help writing mail filters, visit settings.
Damien Neil (Gerrit)
Jun 29, 2022, 2:37:54 PM6/29/22
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention is currently required from: Damien Neil.
Damien Neil uploaded patch set #3 to this change.
The following approvals got outdated and were removed: Run-TryBot+1 by Damien Neil, TryBot-Result-1 by Gopher Robot
x/vulndb: add reports/GO-2022-0422.yaml for GHSA-g3vv-g2j5-45f2
Fixes golang/vulndb#0422
Change-Id: Ie17915f4b8c3146980febc392932bb16a0567e84
---
A reports/GO-2022-0422.yaml
1 file changed, 27 insertions(+), 0 deletions(-)
To view, visit change 414814. To unsubscribe, or for help writing mail filters, visit settings.
Tatiana Bradley (Gerrit)
Jul 1, 2022, 2:51:20 PM7/1/22
to Damien Neil, goph...@pubsubhelper.golang.org, Gopher Robot, golang-co...@googlegroups.com
Attention is currently required from: Damien Neil.
Patch set 5:Code-Review +2
Damien Neil (Gerrit)
Jul 1, 2022, 4:08:08 PM7/1/22
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Tatiana Bradley, Gopher Robot, golang-co...@googlegroups.com
Damien Neil submitted this change.
Approvals:
Gopher Robot: TryBots succeeded
Tatiana Bradley: Looks good to me, approved
Damien Neil: Run TryBots
x/vulndb: add reports/GO-2022-0422.yaml for GHSA-g3vv-g2j5-45f2
Fixes golang/vulndb#0422
Change-Id: Ie17915f4b8c3146980febc392932bb16a0567e84
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414814
Run-TryBot: Damien Neil <dn...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Tatiana Bradley <tat...@golang.org>
---
A reports/GO-2022-0422.yaml
1 file changed, 31 insertions(+), 0 deletions(-)
diff --git a/reports/GO-2022-0422.yaml b/reports/GO-2022-0422.yaml
new file mode 100644
index 0000000..66beefd
--- /dev/null
+++ b/reports/GO-2022-0422.yaml
@@ -0,0 +1,16 @@
+packages:
+ - module: github.com/ipld/go-codec-dagpb
+ symbols:
+ - DecodeBytes
+ derived_symbols:
+ - Decode
+ - Decoder
+ - Unmarshal
+ versions:
+ - fixed: 1.3.1
+ vulnerable_at: 1.3.0
+description: The dag-pb codec can panic when decoding invalid blocks.
+ghsas:
+ - GHSA-g3vv-g2j5-45f2
+links:
+ commit: https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57
To view, visit change 414814. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages