Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05bWZjLWNod2YtN3doZs4AAvq9

ckb: Large dep group requires a lot of resources to process but the cost to commit the transaction is very low.

Impact

When a transaction contains a dep group with many cells, the resources required to process it are not linear to the transaction size nor spent script cycles.

Patches

In 0.43.3, nodes drop the transactions relayed to them when they contain a dep group with more than 64 cells. They do not ban peers who send them such transactions.

In 0.100, the consensus disallow transactions using a dep group with more than 64 cells. Peers relaying such transaction must be banned. Blocks committing such transactions must be rejected.

Permalink: https://github.com/advisories/GHSA-9mfc-chwf-7whf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05bWZjLWNod2YtN3doZs4AAvq9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


Identifiers: GHSA-9mfc-chwf-7whf
References: Repository: https://github.com/nervosnetwork/ckb
Blast Radius: 1.0

Affected Packages

cargo:ckb
Dependent packages: 0
Dependent repositories: 0
Downloads: 36,929 total
Affected Version Ranges: < 0.43.3
Fixed in: 0.43.3
All affected versions: 0.1.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.42.0, 0.43.0, 0.43.2
All unaffected versions: 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.101.8, 0.102.0, 0.103.0, 0.104.0, 0.104.1, 0.105.0, 0.105.1, 0.106.0, 0.107.0, 0.108.0, 0.108.1, 0.109.0, 0.110.0, 0.110.1, 0.110.2, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0, 0.116.0, 0.116.1