Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05bWZjLWNod2YtN3doZs4AAvq9
ckb: Large dep group requires a lot of resources to process but the cost to commit the transaction is very low.
Impact
When a transaction contains a dep group with many cells, the resources required to process it are not linear to the transaction size nor spent script cycles.
Patches
In 0.43.3, nodes drop the transactions relayed to them when they contain a dep group with more than 64 cells. They do not ban peers who send them such transactions.
In 0.100, the consensus disallow transactions using a dep group with more than 64 cells. Peers relaying such transaction must be banned. Blocks committing such transactions must be rejected.
Permalink: https://github.com/advisories/GHSA-9mfc-chwf-7whfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05bWZjLWNod2YtN3doZs4AAvq9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-9mfc-chwf-7whf
References:
- https://github.com/nervosnetwork/ckb/security/advisories/GHSA-9mfc-chwf-7whf
- https://github.com/advisories/GHSA-9mfc-chwf-7whf
Blast Radius: 1.0
Affected Packages
cargo:ckb
Dependent packages: 0Dependent repositories: 0
Downloads: 19,699 total
Affected Version Ranges: < 0.43.3
Fixed in: 0.43.3
All affected versions: 0.1.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.42.0, 0.43.0, 0.43.2
All unaffected versions: 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.101.8, 0.102.0, 0.103.0, 0.104.0, 0.104.1, 0.105.0, 0.105.1, 0.106.0, 0.107.0, 0.108.0, 0.108.1, 0.109.0, 0.110.0, 0.110.1, 0.110.2, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0