Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zZ2poLTI5ZnYtOGhyNs4AA5Cq
Nervos CKB Snappy decompress length can be very large and causes out of memory error
Impact
Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error.
Patches
The node must check the decompress length before allocating the memory for the message.
References
- https://github.com/nervosnetwork/ckb/blob/687d797f1888dd05d1f38ce6d1bef3e5b9b6e38b/network/src/compress.rs#L68
- https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106
- https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zZ2poLTI5ZnYtOGhyNs4AA5Cq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
Identifiers: GHSA-3gjh-29fv-8hr6
References:
- https://github.com/nervosnetwork/ckb/security/advisories/GHSA-3gjh-29fv-8hr6
- https://github.com/advisories/GHSA-3gjh-29fv-8hr6
Blast Radius: 1.0
Affected Packages
cargo:ckb
Dependent packages: 0Dependent repositories: 0
Downloads: 21,044 total
Affected Version Ranges: <= 0.34.1
Fixed in: 0.34.2
All affected versions: 0.1.0
All unaffected versions: 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.42.0, 0.43.0, 0.43.2, 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.101.8, 0.102.0, 0.103.0, 0.104.0, 0.104.1, 0.105.0, 0.105.1, 0.106.0, 0.107.0, 0.108.0, 0.108.1, 0.109.0, 0.110.0, 0.110.1, 0.110.2, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0